New worm-like malware steals cryptocurrency via clipboard and USB drives, Microsoft warns

Microsoft Threat Intelligence has uncovered a Windows-based cryptocurrency clipper malware campaign that has been active since February 2026, according to a report from Microsoft. The malware, which Ars Technica calls Crypto Clipper, uses worm-like propagation to spread via USB drives and employs the Tor network for anonymity.

"The malware uses Windows Script Host and ActiveX to launch a bundled Tor proxy and communicate with a hidden-service C2 server."

This approach allows the malware to avoid relying on traditional infrastructure, Microsoft reported. Once on a device, the clipper performs high-frequency clipboard theft, monitoring for wallet addresses or seed phrases, and substitutes them with attacker-controlled addresses to steal cryptocurrency transactions.

Ars Technica detailed that the malware captures five screenshots over 10 seconds and exfiltrates the data along with clipboard contents to attacker-controlled servers via Tor. Microsoft noted that the clipper also includes a lightweight backdoor capability for follow-on activity, making it more than a simple theft tool.

"It performs high-frequency clipboard theft, screenshot exfiltration, and wallet-address substitution to steal cryptocurrency transactions."

The worm-like propagation mechanism, which spreads through USB drives, represents a notable evolution in cryptocurrency malware, as it can move beyond initial infection points without user interaction. Microsoft advised users to be cautious with USB devices and to verify wallet addresses before completing transactions, though the company did not specify the scale of the campaign or the total losses incurred. The discovery highlights the ongoing arms race between cybercriminals and security firms as cryptocurrency adoption continues to grow.