New lightweight, self-propagating crypto stealing malware delivered by USB spotted by Microsoft researchers – Crypto Clipper script-based stealer hunts for vulnerable wallets

New Lightweight, Self-Propagating Crypto Stealing Malware Delivered by USB Spotted by Microsoft Researchers

Microsoft details a newly discovered wormlike infostealer called Crypto Clipper.

Microsoft warns of "Crypto Clipper," a worm spreading via malicious .LNK files on USB drives. The malware maintains persistence, connects to Tor C2, enables remote code execution, and steals clipboard crypto data. It swaps wallet addresses, exfiltrates seed phrases/private keys, and uploads screenshots to assess target value.

Microsoft is warning of an ongoing campaign targeting cryptocurrency owners with a clipboard-jacking worm. In a new in-depth report published late last week, Microsoft's security researchers explained that they recently analyzed a thumb drive that contained seemingly normal documents (Word files, Excel spreadsheets). However, the documents were replaced with Windows shortcut (.LNK) files which actually launched a piece of malware called Crypto Clipper.

Malware Behavior

This malware does a couple of things. First, it spreads by creating malicious .LNK files on USB drives and other removable media. It also sets up scheduled tasks to maintain persistence and automatically infect newly connected USB devices.

Second, it behaves like a backdoor by regularly contacting a C2 server over the Tor network and receiving commands from the attacker. The server can also send commands to have the malware download and execute attacker-supplied code on the infected system, as well.

Stealing Wallet Data

Finally, Crypto Clipper acts as a clipboard clipper by monitoring the Windows clipboard for cryptocurrency wallet addresses, seed phrases, and private keys. If it spots a wallet address, it can replace it with a different one, owned by the attackers, so that any tokens sent by the victim go to the attacker, instead. It can also steal and exfiltrate copied seed phrases and private keys, which can be used to load a victim's crypto wallet on a separate device.

To help attackers assess the value of a target, the malware periodically captures screenshots of the victim's screen and uploads them through the Tor network.

"This malware family shows how lightweight, script-based stealers can deliver outsized impact when paired with anonymized communications and runtime tasking," Microsoft said. "The combination of Tor-routed C2, clipboard targeting, screenshot capture, and remote code execution gives attackers both immediate monetization paths and continued control over compromised devices."

Microsoft did not say if the malware targeted any specific countries or regions, nor did it discuss the number of victims.