- Microsoft identified a USB-spreading malware targeting cryptocurrency wallets since February.
- Malware uses Tor communications, screenshots, and remote code execution.
- Security researchers report rising Windows-based threats against cryptocurrency users.
Microsoft Threat Intelligence has warned Windows users about a cryptocurrency-focused malware strain spreading through USB drives and targeting digital asset holders. According to Microsoft’s researchers, the malware has been active since February and combines wallet theft, screenshot capture, and remote access capabilities that allow attackers to maintain control over infected devices.
The malware, identified as a crypto clipper, monitors clipboard activity and searches for sensitive cryptocurrency information. Besides targeting copied wallet addresses, it also seeks out BIP39 seed phrases and private keys commonly used to access crypto holdings. Microsoft said the threat poses a significant risk because it not only steals information but also creates a pathway for future attacks.
Researchers noted that the malware spreads by hiding legitimate files on USB drives and replacing them with deceptive shortcut files. When users click the disguised files, the malware executes automatically and continues spreading to other removable storage devices connected to the system.
Malware Combines Wallet Theft With Persistent Remote Access
According to Microsoft, the malware deploys two heavily obfuscated JavaScript payloads inside the Windows Documents directory. It then creates scheduled tasks that support both its propagation mechanism and its credential-stealing functions. Additionally, the malware secretly installs a copy of Tor on infected devices. It disguises the software under the filename “ugate.exe” to avoid attracting attention from users and administrators. Through the Tor network, the malware connects to hidden onion addresses controlled by its operators.
Microsoft explained that this communication method helps attackers conceal their infrastructure while maintaining remote access to compromised systems. Consequently, operators can issue commands, deploy additional malware, or execute arbitrary code without exposing traditional command-and-control servers.
The malware also captures screenshots every ten seconds, giving attackers additional visibility into user activity. At the same time, it replaces copied cryptocurrency wallet addresses with attacker-controlled alternatives across Bitcoin, Tron, and Monero transactions. Microsoft Defender Antivirus currently detects the threat as Trojan:Win32/CryptoBandits.A. The company advised users to disable autoplay on removable media, block shortcut execution from USB drives, and monitor systems for suspicious scripts and proxy-related activity.
Rise in Windows-Based Crypto Threats
Microsoft’s warning comes as Windows-targeted cryptocurrency malware continues to increase in sophistication during 2026. Earlier this month, the Foresiet Threat Intel Team identified Lucid Stealer, another malware strain designed to target browser extensions and cryptocurrency wallets, highlighting a broader trend of threats aimed at digital asset users.
Microsoft’s findings show that crypto-focused malware is evolving beyond simple credential theft. By combining wallet-targeting features with remote access capabilities, attackers can steal digital assets while maintaining long-term access to compromised devices.
Also Read: Bybit Engages Singapore Regulator Following Investor Alert List Entry
