Microsoft warns users of 'Crypto Clipper' malware spread via USB drives
Microsoft warns of a Windows crypto-clipper malware spreading through USB drives since February. It steals clipboard data to capture wallet credentials, takes screenshots, and swaps copied wallet addresses with attacker-controlled ones for Bitcoin, Tron, and Monero. It also hides real files and uses lookalike shortcuts so users run the malware unknowingly, while a worm component self-propagates to removable drives. The malware is more than a clipper: it acts as a backdoor that can accept remote code execution, creating a lasting foothold for follow-on attacks like ransomware. It drops obfuscated JavaScript payloads, installs Tor under a disguised filename, and uses onion services for command-and-control to avoid exposed infrastructure. It targets high-value artifacts such as BIP39 seed phrases and Bitcoin/Ethereum private keys. Microsoft Defender detects it as Trojan:Win32/CryptoBandits.A. Recommended mitigations include disabling USB autoplay, blocking .lnk execution from removable media, and monitoring for proxy and script activity.
