Microsoft Identifies New USB-Borne Malware Targeting Cryptocurrency Credentials
Microsoft has identified a new self-propagating malware strain, dubbed Crypto Clipper, that spreads via USB drives and steals cryptocurrency wallet details, according to a company report released Thursday. The malware monitors device clipboards for wallet addresses or seed phrases and sends stolen data to attacker-controlled servers through the Tor network.
How Does Crypto Clipper Spread?
Crypto Clipper propagates through .lnk files on infected USB drives, which execute code when plugged into a target device. The malware checks if it is already installed on the machine; if not, it downloads itself via a Tor proxy, Microsoft confirmed. To evade detection, the worm renames .lnk files on the USB drive to mimic legitimate files, according to the report.
What Makes This Malware Unique?
Unlike traditional malware, Crypto Clipper does not rely on a conventional installer or direct C2 (command-and-control) infrastructure. Instead, it deploys a portable Tor client and uses a SOCKS5 proxy to route traffic, enabling anonymous communication with attackers. The malware also takes five screenshots over 10 seconds when it detects cryptocurrency-related data, Microsoft said.
Why Is This Malware Concerning?
The threat lies in its ability to function as a lightweight backdoor, allowing attackers to execute remote code while stealing sensitive data. Microsoft described it as a “financially motivated stealer” that combines data theft with remote access capabilities. The use of Tor and SOCKS5 proxies complicates tracking, as they obscure the attacker’s IP address.
What Steps Can Users Take to Protect Themselves?
Experts recommend avoiding untrusted USB drives and enabling device encryption. Microsoft advises users to keep systems updated with the latest security patches and to use antivirus software that detects anomalous behavior. Organizations should implement strict policies for handling external storage devices, according to cybersecurity firm CrowdStrike.
How Does This Fit Into Broader Cybersecurity Trends?
Crypto Clipper aligns with a growing trend of malware targeting cryptocurrency users, a $2 trillion market. In 2023, similar threats like the LokiBot malware compromised over 100,000 devices, according to a report by Kaspersky Lab. The rise of such attacks underscores the need for robust security measures in decentralized finance (DeFi) ecosystems.
Microsoft’s discovery highlights the evolving tactics of cybercriminals, who increasingly exploit hardware vulnerabilities and anonymity tools to bypass traditional defenses. As cryptocurrency adoption grows, so too does the sophistication of threats targeting digital assets.