Microsoft Finds USB Worm Hijacking Crypto Wallet Transfers

TLDR

• Microsoft identified new USB-based malware targeting crypto wallets on Windows systems.
• The malware, tracked as Trojan:Win32/CryptoBandits, spreads through infected “.lnk” shortcut files.
• Once executed, it installs a worm that runs continuously on the infected device.
• The worm monitors clipboard activity every 500 milliseconds to capture sensitive crypto data.
• It steals seed phrases and private keys for Bitcoin and Ethereum wallets.

Microsoft has identified new malware that spreads through USB drives and targets crypto wallet data on Windows systems. The threat uses shortcut files to install a worm that steals sensitive information. The company confirmed the malware captures wallet keys and redirects transactions without user awareness.

Microsoft Tracks USB Worm Targeting Crypto Wallets

Microsoft reported that the malware operates as a crypto clipper and spreads through infected USB drives. It uses malicious shortcut files with “.lnk” extensions to execute hidden commands when opened. Once triggered, the malware installs a worm that runs continuously on the infected system.

The worm performs two parallel actions after installation on Windows devices. It executes wallet-stealing code while preparing to infect other USB drives connected later. Microsoft identified the malware as Trojan/CryptoBandits through its Defender Antivirus system.

The infection begins when a user clicks a disguised shortcut file on a USB drive. The system then loads hidden scripts that install the worm silently. As a result, the malware remains active without showing visible warnings.

Malware Captures Wallet Keys and Alters Transactions

The malware monitors clipboard activity every 500 milliseconds to capture sensitive crypto data. It detects copied seed phrases or private keys linked to Bitcoin or Ethereum wallets. Once captured, the malware sends the data to attacker-controlled servers through the Tor network.

The worm also captures screenshots at ten-second intervals to gather further information. It sends five images along with clipboard data to remote servers. This process allows attackers to track user actions and extract wallet details.

The threat extends beyond data theft by altering transaction behavior. When users copy wallet addresses, the malware replaces them with attacker-controlled addresses. As a result, funds get redirected without the user noticing any visible change.

Worm Spreads Through USB Drives Using File Replacement

The malware spreads by infecting clean USB drives connected to an already compromised system. It scans for common files such as Word documents, Excel sheets, and PDFs. Then it replaces them with malicious shortcut files using identical names.

These infected drives continue the cycle when connected to other computers. Users who open the replaced files unknowingly trigger the malware again. This propagation method allows the worm to expand across multiple systems quickly.

Microsoft advised disabling AutoRun features for removable media to reduce infection risks. It also recommended blocking the execution of .lnk files from USB drives through group policy settings. The company further urged restricting script hosts like wscript.exe and cscript.exe to limit execution paths.

Security teams can monitor systems using Defender tools and hunting queries. Microsoft also released indicators of compromise, including file hashes and .onion domains. These details help organizations detect and respond to the malware activity.