Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: crypto-clipper (2 articles)Clear

Microsoft warns of USB worm that hijacks crypto wallets over Tor

Microsoft has detailed a cryptocurrency-stealing campaign, active since February, that spreads through USB drives and hides its command channel inside the Tor network. Infection starts when someone opens a malicious Windows shortcut on a USB stick; the malware then hides real documents and replaces them with lookalike shortcuts, copies itself to other drives, and sets scheduled tasks for persistence. Its clipper component watches the clipboard about twice a second, swapping copied wallet addresses for the attacker's and grabbing seed phrases and private keys, which it sends out over a bundled Tor client. It can also run attacker-supplied code, doubling as a lightweight backdoor.

Check
Watch endpoints for script interpreters spawning unexpected child processes, local Tor proxy use on port 9050, clipboard monitoring, and shortcut files replacing documents on USB drives.
Affected
Windows users, especially cryptocurrency holders, who plug in untrusted USB drives or open shortcut files from them; the malware also spreads worm-like to any removable drive connected afterward.
Fix
Block or tightly control USB removable media, disable autorun, verify wallet addresses after pasting, and use endpoint protection that flags Tor-proxy abuse, clipboard hijacking, and suspicious shortcut-driven script execution.

CrystalRAT malware-as-a-service sells remote access, crypto theft, and keylogging on Telegram

Kaspersky researchers uncovered CrystalRAT, a new malware-as-a-service sold via Telegram and promoted on YouTube with a tiered subscription model. Built in Go, it combines remote access via VNC, keylogging, clipboard hijacking for crypto wallet theft, browser credential stealing from Chromium/Yandex/Opera, and data harvesting from Steam, Discord, and Telegram. Each buyer gets a uniquely encrypted build using ChaCha20, making detection harder. Kaspersky warns that new versions are still shipping, and the victim count is likely to grow.

Check
Alert staff about fake software cracks and activators - the most common delivery vector for CrystalRAT infections.
Affected
Windows users who download software from unofficial sources. Current victims are primarily in Russia, but the MaaS model means geographic expansion is expected.
Fix
Block known CrystalRAT C2 infrastructure at the network level. Ensure endpoint detection tools are updated with Kaspersky's published IOCs. Train staff to verify crypto wallet addresses before confirming transfers - clipboard hijacking swaps addresses silently.