Microsoft has uncovered a new strain of malware that spreads via USB drives and is purpose-built to drain cryptocurrency wallets. The malware uses clipboard hijacking to snatch wallet addresses and private keys, then sends the looted data over a Tor-based control channel. The disclosure came this week from Microsoft's security research team, which warned that the infection is designed to go unnoticed until funds are gone.
How the infection chain works
The malware spreads the old-fashioned way — through removable USB drives. Once a user plugs an infected drive into a Windows machine, the malware installs itself silently. It then runs a clipboard monitor that watches for cryptocurrency wallet addresses and private keys copied or typed by the user. When it detects a wallet address, it can swap it for an attacker-controlled address, sending payments to the wrong wallet. Private keys, once intercepted, let the attacker drain the wallet directly.
This isn't a novel technique, but the combination of USB propagation and Tor-based command-and-control makes it harder to block. Tor obfuscates the attacker's IP address and encrypts the traffic, so network-level detection is tougher. Microsoft said the malware communicates with its controllers through Tor hidden services, which means takedowns are more complicated than a typical IP ban.
What Microsoft is doing
Microsoft has added detection signatures for the malware to its Defender antivirus engine. The company recommends users avoid plugging unknown USB drives into their computers — especially drives found in parking lots or other public places, a common infection vector. For crypto users, the advice is blunt: use a hardware wallet and never copy private keys to a clipboard on an internet-connected machine. The malware won't touch a hardware wallet's key, but it will grab any key that passes through the Windows clipboard.
The timing isn't great for crypto holders. USB-borne malware was already on the decline in recent years as phishing and supply-chain attacks took over, but this find suggests attackers still see value in the low-tech approach. A single compromised USB drive in a shared office or a co-working space can spread the infection to multiple machines before anyone notices.
Clipboard hijacking's long tail
Clipboard hijacking has been a problem for crypto users since at least 2017, but it keeps evolving. Earlier versions typically swapped addresses only when the user pasted them into a send transaction. This new variant appears more aggressive, according to Microsoft's analysis — it watches the clipboard in real time and exfiltrates any crypto-related data it sees, regardless of whether the user is about to make a transaction. That means even a casual copy of a wallet address to share with a friend could leak it to attackers.
Microsoft hasn't named the malware or attributed it to any known group. The company's security team is still analyzing the infrastructure behind the Tor nodes. A detailed technical report is expected later this month, which may include indicators of compromise — file names, registry keys, and Tor hidden service addresses — that defenders can use to hunt for infections.
