USB worm spreads crypto-stealing malware via Windows shortcut files

USB worm – A cryptocurrency-targeting campaign has been active since at least February, using self-spreading clipboard-stealing malware on USB drives. It starts when a victim opens a Windows LNK shortcut file, then hides documents, replaces them with malicious shortcuts,

A USB drive can look harmless right up until the moment someone double-clicks the wrong file.

Microsoft says a crypto-stealing campaign has been running since at least February, distributing clipboard-stealing malware with self-spreading behavior. Threat actors use LNK (Windows shortcut) files on USB drives to get the malware onto a victim’s machine—and they rely on the Tor network to keep communications hard to trace.

The chain starts with a simple action: the victim opens the LNK file. That triggers the malware already sitting on the USB drive. and Microsoft describes further payloads being staged from a .ONION address. From there, the malware performs a local scan searching for document files on the system. When it finds them. it hides the originals and swaps in malicious shortcuts with the same names. setting the trap for the next click.

Microsoft’s description makes the behavior feel almost designed to frustrate help: once users try to open those document files, the replacement shortcuts execute the malware again.

The worm keeps going. It creates a scheduled task that watches for newly connected USB storage devices. When another removable drive is plugged in. the malware copies itself onto the device and creates additional malicious shortcut files. turning a one-time infection into something that can keep spreading.

At the core is theft—carried out quietly and repeatedly.

The stealer component runs after the malware checks that Task Manager is inactive. It then establishes communications with the command-and-control host using a Tor executable named ‘ugate.exe’. Every half second. it scans the clipboard for specific high-value secrets: 12-word and 24-word BIP39 seed phrases. Ethereum private keys. Bitcoin WIF keys. and Bitcoin wallet addresses across legacy. P2SH. Bech32. and Taproot formats. It also looks for Tron and Monero wallet addresses.

Microsoft says the campaign narrows the impact by selecting targeted addresses based on how their starting digits or characters resemble the attackers’ wallet addresses. The goal is to partially mirror what a user expects, lowering the odds of catching the fraud at a glance.

Clipboard monitoring isn’t the only surveillance. Microsoft also says the malware captures five screenshots of the victim’s screen every ten seconds and exfiltrates them to the C2 over Tor, using the curl tool.

There’s more, too. Microsoft reports the malware includes support for remote code execution. That capability can be triggered by a C2 EVAL instruction: the malware downloads JavaScript content into a file named ‘cfile’ and then executes it on the infected machine.

For defenders, Microsoft says the strongest indicators are behavioral rather than signature-based. The recommended monitoring focuses on process activity involving wscript.exe and cscript.exe. unexpected launches of curl. PowerShell. and cmd.exe. and unusual child processes. Network clues matter as well. with connections to ‘localhost:9050’ and Tor proxy activity flagged as red flags tied to this campaign.

USB worm LNK shortcut crypto stealing malware clipboard stealer Tor ugate.exe scheduled task screenshots exfiltration cURL remote code execution wscript.exe cscript.exe PowerShell cmd.exe BIP39 seed phrase wallet address fraud