Microsoft has catalogued a new self‑propagating worm that spreads via USB drives and hunts for cryptocurrency credentials. The infection vector relies on malicious .lnk shortcut files that trigger a download once a target system is booted. The malware then searches the clipboard for wallet addresses or seed phrases within the system memory stream.

Once credentials surface, the worm captures five screenshots over ten seconds, then routes both data sets through an embedded Tor client. By tunneling traffic through a local SOCKS5 proxy, Crypto Clipper evades traditional IP‑based command and control channels, masking its origin and complicating forensic analysis for investigators seeking to trace the attack chain.

Microsoft highlighted that Crypto Clipper blends theft with remote code execution, turning a financially motivated stealer into a lightweight backdoor that hides in plain sight. The worm even renames .lnk files on infected drives to mimic legitimate shortcuts, further obscuring its presence and thwarting quick detection by standard antivirus tools for everyday users.

This discovery underscores the growing threat of USB‑borne ransomware that leverages anonymity networks to bypass traditional security controls. Users should verify drive contents before use, keep firmware updated, and employ endpoint detection that flags suspicious shortcut files. Microsoft urges organizations to patch known vectors and monitor for unusual Tor traffic amid rising crypto‑theft campaigns today.