USB worm spreads crypto-stealing malware via Windows shortcut files
A USB worm malware campaign targets Windows users by spreading clipboard-stealing malware via malicious shortcut (LNK) files on USB drives. The malware monitors clipboard contents for cryptocurrency wallet addresses, seed phrases, and private keys, replacing them with attacker-controlled addresses to steal funds. It also captures screenshots and exfiltrates data over the Tor network. The worm propagates by creating malicious shortcuts that replace original documents and copies itself to newly connected USB drives. It supports remote code execution through commands from its command-and-control server.
AI Analysis
Technical Summary
This malware campaign uses USB drives with malicious Windows shortcut files (LNK) to infect systems. When a user opens a shortcut, the malware executes and stages additional payloads from a Tor hidden service. It scans local documents, hides originals, and replaces them with malicious shortcuts to maintain persistence and spread. The malware monitors the clipboard every 0.5 seconds for various cryptocurrency wallet formats and seed phrases, replacing them with attacker addresses to redirect funds. It also captures screenshots every 10 seconds and sends them to the attacker via Tor. The malware creates scheduled tasks to monitor USB device connections and self-propagates by copying itself and creating malicious shortcuts on new drives. It can execute remote JavaScript code delivered by the attacker. Detection is challenging as behavioral indicators (e.g., unusual process activity and Tor proxy connections) are more reliable than signatures.
Potential Impact
The malware enables theft of cryptocurrency by intercepting and replacing wallet addresses and seed phrases copied to the clipboard, potentially resulting in direct financial loss. It also compromises user privacy by capturing screenshots and exfiltrating sensitive data over Tor. The worm-like propagation via USB drives increases infection spread risk across air-gapped or isolated systems. Remote code execution capability allows attackers to execute arbitrary code, increasing the potential impact beyond data theft.
Mitigation Recommendations
No official patch or fix is available for this malware. Mitigation focuses on user awareness to avoid opening unknown or suspicious shortcut files from USB drives. Monitoring for behavioral indicators such as unexpected launches of wscript.exe, cscript.exe, curl, PowerShell, and cmd.exe, as well as Tor proxy activity (e.g., connections to localhost:9050), can help detect infections. Restricting or disabling autorun features for removable media and scanning USB drives with updated antivirus solutions before use can reduce infection risk. Incident response should include isolating infected systems and removing malicious scheduled tasks and shortcut files.
USB worm spreads crypto-stealing malware via Windows shortcut files
Description
A USB worm malware campaign targets Windows users by spreading clipboard-stealing malware via malicious shortcut (LNK) files on USB drives. The malware monitors clipboard contents for cryptocurrency wallet addresses, seed phrases, and private keys, replacing them with attacker-controlled addresses to steal funds. It also captures screenshots and exfiltrates data over the Tor network. The worm propagates by creating malicious shortcuts that replace original documents and copies itself to newly connected USB drives. It supports remote code execution through commands from its command-and-control server.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This malware campaign uses USB drives with malicious Windows shortcut files (LNK) to infect systems. When a user opens a shortcut, the malware executes and stages additional payloads from a Tor hidden service. It scans local documents, hides originals, and replaces them with malicious shortcuts to maintain persistence and spread. The malware monitors the clipboard every 0.5 seconds for various cryptocurrency wallet formats and seed phrases, replacing them with attacker addresses to redirect funds. It also captures screenshots every 10 seconds and sends them to the attacker via Tor. The malware creates scheduled tasks to monitor USB device connections and self-propagates by copying itself and creating malicious shortcuts on new drives. It can execute remote JavaScript code delivered by the attacker. Detection is challenging as behavioral indicators (e.g., unusual process activity and Tor proxy connections) are more reliable than signatures.
Potential Impact
The malware enables theft of cryptocurrency by intercepting and replacing wallet addresses and seed phrases copied to the clipboard, potentially resulting in direct financial loss. It also compromises user privacy by capturing screenshots and exfiltrating sensitive data over Tor. The worm-like propagation via USB drives increases infection spread risk across air-gapped or isolated systems. Remote code execution capability allows attackers to execute arbitrary code, increasing the potential impact beyond data theft.
Mitigation Recommendations
No official patch or fix is available for this malware. Mitigation focuses on user awareness to avoid opening unknown or suspicious shortcut files from USB drives. Monitoring for behavioral indicators such as unexpected launches of wscript.exe, cscript.exe, curl, PowerShell, and cmd.exe, as well as Tor proxy activity (e.g., connections to localhost:9050), can help detect infections. Restricting or disabling autorun features for removable media and scanning USB drives with updated antivirus solutions before use can reduce infection risk. Incident response should include isolating infected systems and removing malicious scheduled tasks and shortcut files.
Technical Details
- Article Source
- {"url":"https://www.bleepingcomputer.com/news/security/usb-worm-spreads-crypto-stealing-malware-via-windows-shortcut-files/","fetched":true,"fetchedAt":"2026-06-18T16:21:36.747Z","wordCount":740}
Threat ID: 6a341b10f198dc38c11ba958
Added to database: 6/18/2026, 4:21:36 PM
Last enriched: 6/18/2026, 4:21:44 PM
Last updated: 6/18/2026, 6:29:53 PM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.