You guys - Microsoft just laid out how this new worm actually works and it gets way weirder when you look at the details! First thing: it doesn't use a standard installer or expose its command server β instead it bundles a portable Tor client and routes everything through a local SOCKS5 proxy on port 9050, so investigators can never pin down where the stolen data is actually going. The infection mechanism is also clever; when you plug an infected USB drive into your machine, a .lnk file executes and checks whether Crypto Clipper already exists there β if not, it downloads itself through that Tor connection while simultaneously scanning every other nearby drive and duplicating its own files with names designed to look like what was originally on the stick. Then it starts monitoring clipboard contents for anything matching 12 or 24-word seed phrases (your wallet's master key!) and when a hit is confirmed, it snaps five screenshots over ten seconds to capture surrounding context before exfiltrating everything through Tor. The absolute kicker β which is why Microsoft classifies this as a lightweight backdoor rather than just another crypto stealer β is that it actively replaces any found crypto addresses with ones controlled by the attacker so payments are routed directly into their wallets at runtime. It's not just stealing your keys; it's rerouting live transactions to itself before you even realize anything was wrong, and Defender for Endpoint flags the activity as Suspicious JavaScript processes or data exfiltration via Curl, while Antivirus tags it Trojan:Win32/CryptoBandits.A β if you ever need to hunt for it yourself, look for script interpreters spawning child procs, a proxy listening on localhost:9050, screen-capture commands fired from PowerShell, and the telltale signs of clipboard inspection or crypto address replacement.
Source: https://arstechnica.com/security/2026/06/microsoft-spots-new-self-propagating-malware-for-stealing-cryptocurrency/
Source: https://arstechnica.com/security/2026/06/microsoft-spots-new-self-propagating-malware-for-stealing-cryptocurrency/