Microsoft Threat Intelligence has issued a critical alert regarding a sophisticated cryptocurrency clipper malware strain actively compromising Windows environments via USB drives. The campaign, which has been operational since February, employs a multi-vector attack methodology including high-frequency clipboard theft, screenshot exfiltration, and wallet-address substitution to drain digital assets. Data compiled by Woofun AI shows the malware specifically targets high-value financial artifacts such as BIP39 mnemonic seed phrases and private keys for Bitcoin and Ethereum. Beyond simple credential harvesting, the threat actor replaces legitimate files with deceptive shortcuts, tricking victims into executing the payload while a worm component automatically propagates to connected USB storage devices.

The insidious nature of this malware lies in its dual functionality as both an information stealer and a persistent backdoor. Unlike traditional threats that rely on exposed IP-based infrastructure or standard installers, this strain deploys two obfuscated JavaScript payloads directly into the Windows Documents directory. It subsequently creates scheduled tasks to maintain persistence for both the worm and stealer components. Woofun AI notes that this architectural shift allows attackers to push and execute arbitrary code on infected machines at any time, effectively converting a one-time crypto theft operation into a long-term foothold for potential ransomware deployment.

Operational tactics involve a combination of Tor-routed command and control channels, targeted clipboard monitoring, and continuous screenshot capture occurring every 10 seconds to gather contextual intelligence. The malware actively intercepts copied wallet addresses across Bitcoin, Tron, and Monero networks, replacing them with attacker-controlled addresses before the user completes a transaction. This mechanism ensures immediate monetization while maintaining continued control over the compromised device. The absence of traditional installation dependencies significantly lowers the barrier for mass infection through physical media vectors.

Microsoft recommends immediate mitigation strategies including disabling autoplay features on all removable media and strictly blocking the execution of .lnk files originating from USB drives. Security teams are advised to monitor network traffic for proxy activity and the spawning of unauthorized scripts. The broader threat landscape indicates a significant escalation in Windows-based crypto stealers throughout 2026. Woofun AI analysis suggests this trend is accelerating, evidenced by the recent identification of Lucid Stealer, a new strain targeting browser extensions and crypto wallets identified earlier this month by the Foresiet Threat Intel Team.