A worm disguised as office documents is quietly draining cryptocurrency wallets by swapping addresses at the point of transfer.
Microsoft's security team analyzed a USB drive loaded with what appeared to be ordinary Word and Excel files. The files were actually Windows shortcut (.LNK) files that executed a malware package dubbed Crypto Clipper. Once running, the malware replicates itself onto any newly connected removable media, sets scheduled tasks for persistence, and opens a backdoor that checks in with a command-and-control server routed through Tor. That C2 connection lets attackers push arbitrary code to infected machines at will.
The theft mechanism is straightforward but effective: Crypto Clipper watches the Windows clipboard for cryptocurrency wallet addresses, seed phrases, and private keys. When a victim copies a wallet address to paste into a transfer, the malware silently replaces it with an attacker-controlled address. Any funds sent go to the attacker instead. Seed phrases and private keys get exfiltrated directly, and the malware periodically uploads screenshots to help attackers gauge how much a target is worth pursuing. The Tor routing makes the C2 traffic difficult to block or trace.
Clipboard-hijacking is not new — clippers have circulated in underground markets for years — but the USB worm delivery vector is a reminder that air-gapped or cautious users are not automatically safe. Microsoft did not disclose victim counts or geographic targeting, which limits what conclusions can be drawn about campaign scale.