Microsoft has identified a sophisticated malware campaign targeting cryptocurrency investors through infected USB drives. Active since February, the worm known as Trojan:Win32/CryptoBandits exploits Windows shortcut files to compromise digital wallets and exfiltrate sensitive financial data.
The infection begins when users execute malicious .lnk files on removable media. Once installed, the malware monitors the system clipboard every 500 milliseconds. It captures seed phrases and private keys, transmitting them to attackers over the Tor network. Critically, the worm silently replaces copied recipient addresses with attacker-controlled wallets during transactions, diverting funds without visible detection.
Propagation occurs automatically when clean USB drives connect to infected systems. The malware replaces legitimate documents with identically named malicious shortcuts, ensuring continued spread across air-gapped and networked environments. Microsoft urges organizations to disable AutoRun, block .lnk execution on removable media, and restrict script hosts. Security teams should also scan for Tor proxy connections on port 9050 and review published indicators of compromise to detect this persistent threat.