A newly discovered crypto clipper worm spreads through weaponized Windows shortcut LNK files on USB drives and uses Tor based command and control to silently swap cryptocurrency wallet addresses and steal digital assets from victims.
Imagine you are plugging your USB drive into another computer and seeing files exactly like the ones you saved yourself. But those files are not real. They are actually a scam that been silently draining peoples crypto wallets since February 2026. Microsoft Threat Intelligence and Microsoft Defender experts have discovered this malware which is not just a thief but a full-fledged worm that spreads independently and also controls the file system via the Tor network.
Weaponized Windows Shortcut USB Worm Attack Explained
The attack begins quite simply. When an infected USB drive is inserted into a compromised machine and the worm scans the files inside, such as .doc, .xlsx and .pdf files. It then hides the original files and creates shortcuts with similar names in their place. Anyone who inserts the drive into another machine and clicks on these shortcuts falls into the same trap.
Immediately after clicking the worm pastes two malicious JavaScript files into a subfolder within C:\Users\Public\Documents and keeps the folder name as well as the file name five characters long to avoid any suspicion. Then two scheduled tasks are created. One task keeps the stealer running all the time and the other task automatically spreads the worm to every new USB device.
A lot of effort has gone into hiding this entire setup. The initial payload is a Python script protected by PyArmor and packaged in a standalone executable. The JavaScript files are also subjected to dual layer obfuscation and making them difficult to detect by normal antivirus scans. If the Task Manager is opened on a system and the malware automatically closes itself to prevent any manual inspection.
Tor Based Crypto Clipper Command and Control Threat
The most dangerous feature of this malware is its command and control system. Hidden within is a portable Tor client named ugate.exe that runs in a hidden window. All communication then takes place via .onion addresses and making it impossible to stop this attack simply by blocking IP addresses.
Clipper checks the clipboard every 500 milliseconds and looks for seed phrases, private keys and wallet addresses. As soon as someone copies their crypto wallet address, the malware silently replaces it with its own attacker-controlled address. This trick works on all major formats, such as Bitcoin legacy, P2SH Taproot, Bech32, Tron and Monero.
The malware not only steals money but also takes five screenshots every ten seconds and sends them to the attacker via Tor. This means that the hacker gets access to not just the wallet but also the entire screen. Most dangerously by sending an EVAL command from the server and the attacker can run arbitrary code directly on the victims machine.
Security experts recommend always disabling AutoRun and AutoPlay on USB drives and blocking the execution of .lnk files via Group Policy. Script interpreters like wscript.exe and cscript.exe should also be allowed to run only when necessary.
Network teams should also monitor for SOCKS5 proxy traffic on localhost port 9050 as this is a true Tor target. People who use computers for their financial work should also regularly check their clipboard activity and screen capture behavior.
This incident reminds us once again that the greatest danger is never visible. The real danger always comes in the form of the thing we trust the most.
