Microsoft has pulled back the curtain on a cryptocurrency clipping campaign that’s been targeting Windows users since February. The operation, codenamed CryptoBandits, doesn’t play by the usual rules — there’s no traditional installer, no exposed command-and-control server. Instead, it uses a USB worm and the Tor network to stay hidden.
Here’s how it works. A malicious Windows Shortcut (LNK) file gets dropped onto USB drives. When someone plugs in the drive and clicks what looks like a normal document — a PDF, a Word file — the shortcut triggers a worm component. It checks if the machine is already infected. If not, it fetches the payload from a remote server.
Once deployed, the malware launches a portable Tor client in a hidden window, routes traffic through a local SOCKS5 proxy, and connects to a hidden-service C2 server. From there, it monitors the clipboard every 500 milliseconds, looking for cryptocurrency wallet addresses to swap with attacker-controlled ones. It also takes screenshots and exfiltrates them through Tor.
What makes this particularly nasty is the self-spreading mechanism. The worm scans USB drives for common document types, hides the real files, and replaces them with LNK shortcuts that have the same names. Every infected USB stick becomes a propagation vector.
The malware also creates scheduled tasks for persistence and exits immediately if it detects Task Manager running, suggesting the operators put real effort into evasion. If the C2 sends an “EVAL” response, the malware executes attacker-supplied code at runtime — turning what starts as a crypto stealer into a lightweight backdoor.
Microsoft recommends defenders look for PowerShell-based screen capture, WScript or CScript launching unexpected executables, and LNK execution from removable media. Disabling AutoRun and blocking LNK execution from USB drives via Group Policy are the most effective mitigations.
