USB-Spreading Malware Poses New Threat to Crypto Wallet Users

Microsoft has disclosed a new crypto clipper malware campaign that can spread through USB drives. It steals cryptocurrency-related data, and redirects transactions by replacing wallet addresses copied to a user’s clipboard. The company said the threat, tracked as Trojan:Win32/CryptoBandits.A, has been active since at least February 2026. Besides traditional clipping techniques it uses also broader backdoor capabilities.

Malware targeting cryptocurrency users is becoming more sophisticated and can maintain long-term access to infected systems.

Microsoft Details the CryptoBandits Campaign

According to Microsoft’s threat intelligence team, the malware is designed to monitor infected Windows devices for cryptocurrency-related activity. Once installed, it can search for wallet information, collect system data, and monitor clipboard contents for cryptocurrency addresses. The malware polls the clipboard approximately every 500 milliseconds, allowing it to quickly identify and replace copied wallet addresses.

The malware also targets sensitive information such as seed phrases and private keys. In addition, researchers observed functionality that allows attackers to capture screenshots and gather information from infected systems.

Microsoft said the campaign’s infrastructure uses the Tor anonymity network, making it more difficult to identify or disrupt the operators behind the activity.

How the Malware Spreads Through USB Drives

One of the more unusual aspects of the campaign is its ability to spread through removable media. The malware searches connected USB drives for common file types, including Word documents, PDFs, and Excel files. It then hides the original files and replaces them with malicious Windows shortcut files that mimic the legitimate documents. When a user opens one of these shortcuts, the malware executes while simultaneously opening the original file, making the compromise less noticeable. This allows the malware to disguise itself as legitimate content and move between systems when infected drives are used elsewhere.

Researchers described the behavior as worm-like because the malware can propagate without direct interaction from the attacker once an infected system is established.

However, Microsoft did not disclose how victims are initially infected. While USB drives are a key propagation mechanism, the company did not identify the original infection vector or attribute the campaign to a specific threat actor.

More Than a Traditional Clipper

A typical crypto clipper malware operation focuses on replacing cryptocurrency wallet addresses stored in a victim’s clipboard. If a user copies a legitimate wallet address while preparing a transaction, the malware can substitute it with an attacker-controlled address before the funds are sent.

Microsoft’s analysis suggests CryptoBandits goes beyond that traditional model.

The malware includes remote command execution capabilities that allow operators to run additional actions on compromised devices. Combined with data collection and persistence features, these functions effectively give attackers ongoing access to infected systems.

That broader functionality has led some security researchers to describe the threat as a lightweight backdoor in addition to a clipper.

Why the Threat Matters for Crypto Users

The campaign highlights a persistent security risk for cryptocurrency users: endpoint compromises can undermine otherwise secure storage practices. Even users who safeguard their assets carefully may still be exposed if malware modifies transaction details before funds are transferred.

Clipboard replacement attacks are particularly difficult to detect because transactions may appear legitimate until users carefully compare wallet addresses. A single altered character can redirect funds to an attacker-controlled destination.

Security experts generally recommend verifying wallet addresses before confirming transactions. Users should avoid unknown USB devices, keeping security software updated, and treating unexpected shortcut files with caution.

The Broader Security Implications

The crypto clipper malware campaign identified by Microsoft reflects the continued evolution of threats targeting digital asset holders. CryptoBandits combines wallet theft techniques, USB-based propagation, Tor-enabled communications, and remote access capabilities. These features make it a more versatile threat than traditional clipping tools.

Microsoft’s report explained well how the malware spreads between devices. Nevertheless, it was not able to identify the campaign’s original infection method and the individuals responsible. The investigations into this threat continue. But what we know so far underscores once more how important strong security practices are when managing cryptocurrency assets.