- Microsoft identified a crypto-targeting malware campaign active since February 2026.
- The malware spreads through infected USB drives using malicious shortcut files.
- It monitors clipboard activity and replaces copied wallet addresses with attacker-controlled destinations.
- Bitcoin, Ethereum, Monero and Tron users are among the primary targets.
- The malware also includes backdoor functionality that enables remote control and credential theft.
The campaign, which researchers say has been active since at least February 2026, is designed to steal cryptocurrency by silently replacing wallet addresses and harvesting sensitive credentials from infected devices.
USB Infection Method Enables Rapid Spread
According to Microsoft’s threat intelligence team, the malware propagates by scanning removable storage devices and replacing legitimate documents with malicious Windows shortcut (.lnk) files.
The technique targets commonly used file formats, including Word, Excel and PDF documents. Original files are hidden from view while attackers create lookalike shortcuts using identical filenames, increasing the likelihood that users unknowingly execute the malware.
Once activated, the malware establishes persistence on the infected system and automatically spreads to additional USB drives connected to the device, creating a worm-like distribution mechanism capable of moving between networks without relying on internet-based delivery.
Clipboard Hijacking Targets Crypto Transactions
The campaign’s primary objective is cryptocurrency theft.
Researchers found that the malware continuously monitors clipboard activity, checking copied content roughly every half second for patterns associated with cryptocurrency wallet addresses.
When a user copies a wallet destination before making a transaction, the malware silently substitutes the address with one controlled by the attacker. Because crypto transfers are irreversible, victims may unknowingly send funds directly to malicious wallets.
Microsoft’s analysis indicates the malware is configured to recognize addresses associated with multiple blockchain networks, including Bitcoin, Ethereum, Monero and Tron.
The attack method reflects a broader trend among cybercriminals targeting operational mistakes rather than attempting to compromise blockchain protocols directly.
Beyond a Clipper: Malware Includes Full Backdoor Functionality
Researchers noted that the threat extends beyond a traditional cryptocurrency clipper.
The malware deploys a lightweight backdoor that enables attackers to maintain persistent access to infected systems. To conceal communications, it bundles its own Tor client, allowing traffic to be routed through anonymous hidden services.
The infrastructure enables operators to exfiltrate private keys, seed phrases and other sensitive wallet information while also receiving screenshots and system intelligence from compromised devices.
The functionality gives attackers the ability to update payloads, deliver additional malware and adapt operations without requiring physical access to infected machines.
Advanced Evasion Techniques Complicate Detection
Microsoft reported that the malware incorporates several mechanisms designed to evade security analysis.
Core components remain encrypted until execution, limiting visibility for traditional scanning tools. The malware also performs anti-analysis checks and may terminate itself if system monitoring tools are detected.
Persistence mechanisms include scheduled tasks that automatically relaunch malicious processes after reboots, ensuring continued operation even after partial remediation attempts.
The combination of obfuscation, persistence and anonymous command-and-control infrastructure demonstrates a level of sophistication increasingly common among financially motivated cybercrime groups.
Crypto Holders Face Growing Operational Security Risks
The discovery comes as digital asset adoption continues to expand among retail and institutional investors, increasing the potential attack surface for threat actors.
Unlike exploits targeting blockchain protocols, clipboard hijacking attacks rely on user behavior and transaction workflows, making them difficult to detect without strong operational security practices.
Security researchers note that even experienced users can become victims if wallet addresses are not manually verified before transaction confirmation.
The campaign also highlights the continued relevance of removable media as an attack vector despite the growing shift toward cloud-based infrastructure.
Microsoft Recommends Immediate Defensive Measures
Microsoft advises organizations and individual users to disable AutoRun and AutoPlay functionality for removable media, restrict execution of shortcut files from USB devices and limit access to Windows scripting tools where operationally possible.
Security teams are also encouraged to monitor systems for unusual Tor-related network activity, which may indicate active communication with attacker-controlled infrastructure.
For cryptocurrency users, experts recommend verifying wallet addresses before every transaction, using hardware wallets where possible and maintaining strict controls around removable storage devices.
The campaign serves as a reminder that while blockchain networks themselves may remain secure, the endpoints used to access digital assets continue to represent one of the industry’s most significant security vulnerabilities.






Be the first to comment