Microsoft Threat Intelligence on June 19 warned crypto holders about a new malware strain called Crypto Clipper. It spreads through USB drives and silently replaces copied wallet addresses with ones controlled by attackers. The threat goes beyond direct theft. The malware also installs a backdoor that lets attackers run arbitrary code on infected machines at any time.
How the virus gets onto a machine
The malware has been active since at least February 2026. Spreading via USB sets it apart from typical browser or email-based loaders. The virus hides real files on a flash drive and replaces them with shortcut lookalikes. A victim opens what looks like a normal document or folder, unknowingly launching the malicious code.
Two components deploy at the same time. The worm copies itself to any new USB device connected to the infected machine, turning every new drive into a carrier. The stealer handles data theft. Two obfuscated JavaScript payloads land in the Windows Documents folder, and scheduled tasks run them on every system boot. No traditional installer is needed, and no known IP addresses appear in network traffic, which makes detection harder.
Microsoft researchers noted that the malware does not rely on classic IP-based infrastructure. Antivirus signatures built around conventional loader behavior may miss it entirely. Keeping signature databases current is the only reliable automated line of defense.
What the malware actually steals
Crypto Clipper targets several types of financial data from the clipboard:
- BIP39 mnemonic phrases: sets of 12 or 24 words used to recover a wallet (enough to access all funds on any device).
- Private keys for Bitcoin and Ethereum.
- Wallet addresses for Bitcoin, Tron, and Monero: the malware replaces them in real time with attacker-controlled ones.
- Screenshots every 10 seconds to gather additional context.
The address substitution is particularly insidious. A person sees an address in the recipient field with no reason to suspect the malware has already changed it. Only carefully checking each character before and after pasting reveals the swap. One second of attention saves every cent.
Tor instead of open servers
The virus quietly installs a Tor client renamed as ugate.exe to disguise it as a system process. Through the Tor network, malware operators connect to .onion addresses and send commands remotely. No open IP addresses are exposed, so conventional network blocking does not apply.
"The combination of Tor-routed C2, clipboard targeting, screenshot capture and remote code execution gives attackers both immediate monetization paths and continued control over compromised devices."
- Microsoft Threat Intelligence, alert from June 19, 2026
With that backdoor in place, attackers can push and run ransomware or any other payload at any time. An initial crypto theft becomes a foothold for a much larger attack.
How to stay protected
Microsoft recommends three steps for Windows systems: disable autoplay on removable media, block execution of .lnk files from USB drives, and monitor for unusual proxy activity and spawned scripts. Microsoft Defender detects the threat as Trojan:Win32/CryptoBandits.A and stops it as long as signatures are up to date.
For crypto holders, the rule is simpler. Always compare the first and last 6-8 characters of an address after pasting. Do not rush through the confirmation screen. For larger amounts, a hardware wallet like Ledger shows the address on its own secure screen and stays completely out of reach of clipboard attacks.
Why attackers are moving from phishing to USB
Crypto Clipper is not an isolated case. 2026 has brought a wave of new Windows-based crypto stealers. Earlier this month, the Foresiet Threat Intel team identified Lucid Stealer, targeting browser extensions and crypto wallets. In May, TrapDoor embedded itself in npm and PyPI packages, going after developers.
The common thread across these attacks is using trusted channels instead of phishing emails. A colleague hands over a USB drive, or a stranger leaves one on a cafe table. A developer installs an npm package themselves. A user adds a browser extension. Antivirus tools have learned to catch suspicious emails, so attackers move to places where defenses are still thin. Check the address before every transfer. Five seconds is all it takes.
Comments
Your email address will not be published. Required fields are marked *