Microsoft has detected a self-propagating malware named Crypto Clipper, which spreads via USB drives to steal cryptocurrency credentials. This malware monitors device clipboards for cryptocurrency wallet addresses and seed phrases.

Crypto Clipper captures five screenshots over a 10-second period when it detects target data on the clipboard. The malware then transmits the stolen credentials and screenshots to attackers through the Tor network. Crypto Clipper establishes its Tor connections with a local SOCKS5 proxy.

The malware propagates by executing .lnk shortcut files stored on infected USB drives. "The execution of this clipper is notable because it does not depend on a traditional installer or exposed IP-based C2 infrastructure," Microsoft said. "Instead, it deploys a portable Tor client, routes traffic through a local SOCKS5 proxy, and blends data theft with remote code execution, turning a financially motivated stealer into a lightweight backdoor," Microsoft said.

Crypto Clipper scans clipboards every half-second for 12-word and 24-word BIP39 seed phrases, Ethereum private keys, Bitcoin keys, and Tron and Monero wallet addresses. The malware replaces detected cryptocurrency addresses with attacker-controlled addresses to divert transactions. It selects replacement addresses that partially match legitimate wallet prefixes to avoid immediate user detection.

If the malware is not already installed on a device, it downloads additional components through the Tor proxy. The malware scans infected USB drives and assigns similar names to its .lnk files to conceal its presence. It also scans systems for document files, hides the originals, and replaces them with malicious shortcuts bearing identical names.

Crypto Clipper creates a scheduled task to monitor for newly connected USB storage devices. When a new removable drive connects, the malware copies itself to the device and generates malicious shortcut files. Additional malware payloads are staged and downloaded from a .ONION address.

The data-stealing component executes only when Task Manager is inactive and establishes command-and-control communications using a Tor executable named ugate.exe. Stolen data is exfiltrated to the command-and-control server using the curl tool. Crypto Clipper supports remote code execution triggered by a command-and-control EVAL instruction that downloads and executes JavaScript from a file named cfile.

No independent assessment was available for this report.