Microsoft disclosed that a new USB‑borne malware, labeled as Trojan:Win32/CryptoBandits, has been stealing cryptocurrency wallet credentials from Windows PCs since February.
Infection Vector and Execution
The attack begins when a compromised USB drive contains a malicious shortcut file with a .lnk extension. When a user opens the shortcut, the worm drops onto the system and immediately activates two parallel functions: a wallet‑stealing module and a listener that waits for any additional clean USB device.
Data Harvesting and Exfiltration
The wallet‑stealing component polls the Windows clipboard roughly every 500 milliseconds, capturing seed phrases or private keys for Bitcoin, Ethereum, or other blockchain assets. Captured data is routed through the Tor network to the attacker’s server, while the malware also records five screenshots at ten‑second intervals.
Transaction Manipulation and Risk
If a victim copies a recipient address, the worm silently overwrites it with an attacker‑controlled address before the paste operation, diverting funds without the user’s knowledge. This behavior expands the threat surface for crypto investors and underscores the need for heightened USB hygiene and offline wallet practices.