Microsoft discovers USB worm that steals encrypted wallets

BTC

$62,642.27

-2.07%

NewsNewsDetails

CoinDesk

3h ago

Ai Focus

Microsoft says a Windows malware that spreads via USB monitors the clipboard, steals sensitive information from encrypted wallets, and replaces transfer addresses.

Helpful

No.Help

Microsoft says a malware targeting Windows users has been spreading since February. It enters computers via infected USB devices and aims to steal mnemonic phrases, private keys, and transfer addresses from encrypted wallets, replacing the receiving address during transfers.

Implant via shortcut

Microsoft classifies this type of malware as a crypto clipper, while Defender Antivirus identifies it as Trojan:Win32/CryptoBandits. Attacks typically begin with an infected USB device containing a malicious .lnk shortcut file.

Once the user clicks the file, the worm will install itself on the computer. It then continues to run code that steals wallet information while waiting for a new, clean USB device to be connected to continue spreading.

Check clipboard every 500 milliseconds

After installation, the program continuously monitors the contents of the Windows clipboard. Once it detects a mnemonic phrase, private key, or wallet address such as Bitcoin or Ethereum, it collects the relevant data and sends it to the attacker via the Tor network.

Microsoft states that the program also periodically captures and uploads screenshots. If a user copies a money transfer address, the malicious program will silently replace it with an attacker-controlled address before pasting, which is usually difficult for the user to detect in time.

Even clean USB drives can become infected.

When a new USB device is plugged into an infected computer, the worm scans for common files, including Word, Excel, and PDF documents. It then replaces these files with shortcuts of the same name, turning the USB device into a new medium for propagation.

Transmission method: .lnk files in infected USB drives.

Main objectives: mnemonic phrase, private key, payment address

Risky action: Replace address and infect new USB.

Microsoft has released a set of intrusion indicators, including file hashes and .onion domains used for control communications, for security teams to investigate network environments. The company also recommends disabling AutoRun and blocking .lnk files from USB media.

Follow CoinMeta official accounts to stay updated

@CoinMeta_Labs

Tip

Save

CoinMeta reminds readers to view blockchain rationally, stay aware of risks, and beware of virtual token issuance and speculation. All content on this site represents market information or related viewpoints only and does not constitute any form of investment advice. If you find sensitive content, please click“Report”，and we will handle it promptly。

Submit

Comment 0

Hot

Latest

No comments yet. Be the first!

Microsoft warns of new encrypted clipboard Trojan activity

Microsoft has disclosed a new encrypted clipboard trojan campaign that allows attackers to deliver malware via USB, replacing wallet addresses and mnemonic phrases.

U.Today

·2026-06-18 18:49:17

177

Microsoft warns new clipboard trojan has backdoor capabilities

Microsoft says a new encrypted clipboard trojan has backdoor capabilities that can replace wallet addresses and steal mnemonic phrases.

Cryptonews

·2026-06-18 19:20:28

919

Microsoft shifts to model-based routing, increasing cost pressures on enterprise AI.

Microsoft is considering introducing open-source model alternatives into its enterprise AI tools and adjusting its billing methods. The article argues that model routing and cost control are becoming core requirements for enterprise AI.

Wallstreetcn

·2026-06-18 15:06:37

383

Latest from Author

Refresh

Franklin Templeton applies for dividends to buy Bitcoin ETF

27m ago 169peopleViews

Bitcoin fell for the fourth consecutive day, with DeFi and smart contract tokens leading the decline.

1h ago 240peopleViews

The digital credit market rebounded after a sharp drop.

2h ago 338peopleViews

Recommended