Microsoft Flags USB Crypto Clipper Hijacking Wallets

Microsoft Threat Intelligence warned Windows users about a cryptocurrency clipper strain spread via USB drives. Active since February, the malware steals clipboard data to extract wallet credentials using “high-frequency clipboard theft, screenshot exfiltration, and wallet-address substitution,” Microsoft said Wednesday.

The clipper hides legitimate files and replaces them with lookalike shortcuts so victims unknowingly execute the malware while a worm component propagates automatically to USB storage. More than an info stealer, it functions as a backdoor that allows attackers to push and execute arbitrary code on infected machines, creating a persistent foothold for ransomware.

The execution does not depend on a traditional installer or exposed IP-based infrastructure. Microsoft said the malware deploys two obfuscated JavaScript payloads in the Documents directory, creates scheduled tasks for both worm and stealer components, and secretly installs a renamed copy of Tor (ugate.exe) to connect to operators at hidden onion addresses.

microsoft, windows, crypto clipper, usb drives, clipboard theft, wallet credentials, address substitution, worm component, tor, javascript payloads