USB Worm Spreads Crypto-Stealing Malware via Windows Shortcut Files

Overview

Microsoft reported on June 17, 2026 the existence of a sophisticated USB-propagating worm that has been active since at least February 2026, targeting cryptocurrency holders through a combination of clipboard hijacking, private key exfiltration, and Tor-routed command-and-control infrastructure.

The malware uses Windows shortcut files (.lnk) as its primary infection vector, disguising itself as legitimate documents on USB drives while silently installing, spreading, and stealing cryptocurrency assets in the background. No threat actor has been publicly attributed as of the report date.

How It Spreads: The .lnk Worm Mechanism

The malware's propagation mechanism exploits user trust in file names shown on removable storage. When a victim opens what appears to be a legitimate document (e.g., report.pdf) from an infected USB drive, they are actually opening a malicious .lnk shortcut file that executes the malware payload.

Stage 1: Initial Execution

The .lnk file triggers execution through one of several Windows scripting engines:

• wscript.exe
• cscript.exe
• PowerShell
• cmd.exe

This multi-engine approach gives the malware flexibility and makes it harder to block via single-interpreter restrictions.

Stage 2: File Hiding and Decoy Creation

Once executed, the malware:

1. Hides all original files on the USB drive
2. Replaces them with malicious .lnk decoys that mimic the hidden originals by name
3. Creates the appearance of a normal drive — the victim sees what looks like their files, but every file is now a weaponized shortcut

Stage 3: Persistence and Self-Spreading

The malware installs a scheduled task on the infected Windows host that monitors for newly connected USB drives. Any removable storage inserted into the infected machine is automatically populated with the malware's .lnk file set — enabling silent, automatic spread to every USB device that touches the system.

Crypto-Stealing Capabilities

Once installed, the malware deploys multiple cryptocurrency theft mechanisms simultaneously:

Clipboard Hijacking

The malware continuously monitors the Windows clipboard for cryptocurrency wallet addresses. When a victim copies a wallet address (to send a transaction), the malware silently replaces it with an attacker-controlled address. The victim completes the transaction — believing they're sending to the intended recipient — while the funds are redirected to the attacker's wallet.

Private Key and Seed Phrase Hunting

Beyond clipboard interception, the malware actively searches the infected system for stored credentials:

• Bitcoin — WIF-format private keys, legacy addresses, P2SH, Bech32, and Taproot address formats
• Ethereum — raw private key files
• Tron — wallet addresses
• Monero — wallet addresses
• BIP39 seed phrases — both 12-word and 24-word variants

The seed phrase targeting is particularly dangerous: a 12 or 24-word BIP39 recovery phrase gives complete control of a wallet and all its funds across any compatible wallet application.

Screenshot Capture

The malware captures five screenshots every ten seconds, providing the attacker with continuous visual access to the victim's screen. This enables theft of credentials, authentication codes, and other sensitive information displayed on screen — including software wallets and exchange interfaces.

Command-and-Control: Tor Infrastructure

The malware uses a bundled Tor client (ugate.exe) to route all communication and data exfiltration through the Tor anonymity network:

• The embedded Tor client creates a local SOCKS proxy at localhost:9050
• Stolen data (private keys, seed phrases, screenshots) is transmitted using curl through this proxy
• The C2 infrastructure is hosted on .onion addresses — making attribution and takedown significantly harder

This level of operational security in what is otherwise a commodity USB worm is notable. The combination of self-spreading USB propagation (a relatively crude technique) with sophisticated Tor-based exfiltration suggests either a threat actor with mixed technical capabilities or deliberate design choices to use a proven propagation vector alongside modern OPSEC.

Detection and Defense

For Individual Users

1. Disable Autorun/Autoplay on Windows — prevents automatic execution from USB drives
   • Group Policy: Computer Configuration > Administrative Templates > Windows Components > AutoPlay Policies
2. Never open files directly from USB drives — copy to local disk first and scan with AV
3. Verify file extensions — enable "Show file extensions" in Windows Explorer; real PDFs end in .pdf, not .pdf.lnk
4. Use a hardware wallet — hardware wallets (Ledger, Trezor, etc.) are immune to clipboard hijacking since they display destination addresses on the device itself
5. Always verify crypto addresses — compare the first and last 4-6 characters of any address before confirming a transaction

For Organizations

Why USB-Based Malware Is Still Relevant in 2026

USB-propagating malware might seem anachronistic in an era of cloud storage and network file shares, but several factors keep it viable:

• Air-gapped environments — industrial control systems, government networks, and classified environments often restrict internet access, making USB the primary data transfer mechanism — and a high-value attack vector
• Human behavior — people trust physical media they pick up or receive from colleagues more than unfamiliar email attachments
• Low AV detection rates for .lnk malware — shortcut-file-based execution is often missed by endpoint security tools that focus on executable file types
• Cryptocurrency users are high-value targets — even a small number of successful infections that capture a seed phrase can yield enormous financial return

The combination of these factors makes a well-crafted USB worm a cost-effective tool for financially motivated threat actors.

Timeline

Related Reading

• USB Worm Crypto Malware Report (BleepingComputer)
• Clipboard Hijacking: How Crypto Thieves Steal While You Transact
• Hardware Wallet Security Guide