Microsoft warns users of 'Crypto Clipper' malware spread via USB drives

Microsoft warns users of 'Crypto Clipper' malware spread via USB drives

The malware blends data theft with remote code execution, “turning a financially motivated stealer into a lightweight backdoor,” Microsoft said.

Crypto clipper execution flow. Source: Microsoft

The crypto clipper focuses on “high-value financial artifacts” from the clipboard, including BIP39 mnemonic seed phrases and Bitcoin and Ethereum private keys. It also replaces copied wallet addresses with attacker-controlled ones across Bitcoin, Tron and Monero and takes screenshots every ten seconds for additional context.

Microsoft Defender Antivirus detects the malware as Trojan:Win32/CryptoBandits.A.

Microsoft recommended:

• Disabling autoplay on removable media
• Blocking .lnk execution from USB drives
• Monitoring for proxy activity and spawned scripts

2026 has seen a significant escalation in Windows-based crypto stealers. A new Windows malware strain called Lucid Stealer that targets browser extensions and crypto wallets was identified earlier this month by the Foresiet Threat Intel Team.

Magazine: The end of anon? AI could unmask crypto’s hidden identities