Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: clipboard-hijacking (1 article)Clear

Microsoft warns of USB worm that hijacks crypto wallets over Tor

Microsoft has detailed a cryptocurrency-stealing campaign, active since February, that spreads through USB drives and hides its command channel inside the Tor network. Infection starts when someone opens a malicious Windows shortcut on a USB stick; the malware then hides real documents and replaces them with lookalike shortcuts, copies itself to other drives, and sets scheduled tasks for persistence. Its clipper component watches the clipboard about twice a second, swapping copied wallet addresses for the attacker's and grabbing seed phrases and private keys, which it sends out over a bundled Tor client. It can also run attacker-supplied code, doubling as a lightweight backdoor.

Check
Watch endpoints for script interpreters spawning unexpected child processes, local Tor proxy use on port 9050, clipboard monitoring, and shortcut files replacing documents on USB drives.
Affected
Windows users, especially cryptocurrency holders, who plug in untrusted USB drives or open shortcut files from them; the malware also spreads worm-like to any removable drive connected afterward.
Fix
Block or tightly control USB removable media, disable autorun, verify wallet addresses after pasting, and use endpoint protection that flags Tor-proxy abuse, clipboard hijacking, and suspicious shortcut-driven script execution.