Hackers Use Weaponized Windows Shortcuts to Spread Crypto Clipper Across USB Drives

A newly discovered cryptocurrency clipper malware has been quietly stealing digital assets from victims since February 2026, spreading through a trick that most users would never suspect: weaponized Windows shortcut files on USB drives.

The malware is not just a simple thief. It comes with worm-like behavior, Tor-based communication, and the ability to execute remote commands, making it one of the more sophisticated financially motivated threats seen this year.

The attack begins the moment someone plugs in an infected USB drive and clicks on what looks like a familiar document. Unknown to the user, the file is actually a malicious shortcut (.lnk) that silently launches harmful payloads in the background.

The malware hides the original files, replaces them with look-alike shortcuts, and waits for unsuspecting users on other machines to fall into the same trap.

Analysts from Microsoft Threat Intelligence and Microsoft Defender Experts identified this campaign and noted it has been actively targeting users for several months.

Microsoft said in a report shared with Cyber Security News (CSN) that the malware carries out high-frequency clipboard theft, screenshot exfiltration, and wallet-address substitution, all while routing its traffic through the Tor network.

The threat leaves very little trace in the traditional sense. There is no standard installer, no exposed IP address to block, and the core payloads are encrypted and only unpacked at the moment of execution. This preparation suggests the people behind this campaign put significant effort into staying hidden.

The financial damage can be immediate and severe. By quietly swapping copied wallet addresses with attacker-controlled ones, it can redirect entire cryptocurrency transactions without the victim noticing until the funds are already gone.

Hackers Use Weaponized Windows Shortcuts

The malware’s delivery method is deceptively simple. When a USB drive is inserted into an infected machine, the worm scans it for common file types like .doc, .xlsx, and .pdf. It hides the originals and creates shortcut versions with the same names, trapping the next person who picks up the drive.

Once a victim clicks one of those shortcuts, the worm drops two malicious JavaScript files into a subfolder under “C:\Users\Public\Documents” using a five-character naming pattern for both the folder and file names.

It also creates two scheduled tasks to keep the stealer running and the worm spreading to any new USB device connected to the machine.

The installation is wrapped in multiple layers of obfuscation. The initial payload is a Python script protected with PyArmor and packaged into a standalone executable, while the JavaScript files each carry dual-layer obfuscation.

The malware also terminates itself if Task Manager is detected, making manual inspection significantly harder.

Tor-Routed Command and Control and Clipboard Theft

At the heart of this malware is a portable Tor client renamed “ugate.exe” that launches in a hidden window.

Once Tor is running, the malware communicates with its command server entirely through .onion addresses, making it nearly impossible to block based on destination domain alone.

The clipper monitors the clipboard roughly every 500 milliseconds, looking for seed phrases, private keys, and wallet addresses.

When it spots a copied wallet address, it silently replaces it with one controlled by the attacker. Supported formats include Bitcoin legacy, P2SH, Taproot, Bech32, Tron, and Monero addresses.

The malware also captures five screenshots in ten-second intervals and sends them back to the attacker over Tor. This gives the operator a fuller picture of what the victim is doing with their funds.

An EVAL command from the server can also push arbitrary code to run directly on the victim’s machine.

Defenders are strongly advised to disable AutoRun and AutoPlay for all removable media and to block .lnk execution from USB drives through Group Policy.

Restricting script interpreters like wscript.exe and cscript.exe where not needed, and hunting for SOCKS5 proxy traffic on localhost:9050, are key steps to catching this threat early.

Reviewing clipboard and screen-capture behaviors on devices handling financial workflows is equally important.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.