Microsoft has flagged a new malware strain that spreads through USB flash drives and swaps cryptocurrency addresses in the clipboard with ones controlled by attackers. Dubbed a 'clipper', the malware uses Windows shortcut files to infect devices, then silently replaces any crypto wallet address a user pastes. The warning came this week from Microsoft's security team, who said the threat is actively circulating.
How the clipper works
The malware sneaks onto a machine when a user plugs in an infected USB drive. It exploits Windows shortcut files — the .lnk format — to execute its code. Once inside, it monitors the clipboard for cryptocurrency addresses. When it detects one, it swaps it for an attacker-controlled address. That means a user copying a wallet address from an exchange or friend could end up sending funds to a thief without noticing until it's too late. Microsoft's analysis shows the malware targets a range of cryptocurrencies, though the firm didn't specify which.
Microsoft's warning
The company's security team published the findings on June 21, advising users to be cautious with USB drives from unknown sources. Microsoft didn't say how many infections have been spotted so far, but noted the malware is 'actively spreading'. The clipper isn't new in concept — clipboard hijackers have been around for years — but using USB drives as a vector adds a physical twist. It means an attacker could leave infected drives in public places, hoping someone plugs one in.
What users should do
Microsoft recommends disabling autorun for USB devices and keeping Windows and antivirus software up to date. Manually checking the address you're sending to — every time — is the simplest safeguard. If the address on screen doesn't match the one you copied, don't send. The company also suggests using hardware wallets or trusted apps that verify addresses before confirming a transaction. For now, the best defense is treating any random USB drive like a potential grenade.
