Cybersecurity & Privacy

USB-borne Crypto Clipper Malware Turns Stealer Into Persistent Backdoor

By Mag-Info Tech editorial · 2026-06-19

How a USB crypto clipper evolved into a stealthy backdoor

A recently identified Windows malware family spreads through removable USB drives and combines classic cryptocurrency theft with full remote-control capabilities. Instead of simply swapping wallet addresses in the clipboard, the threat installs a lightweight backdoor that allows attackers to run any code on the victim’s machine. Microsoft’s threat intelligence team describes it as “turning a financially motivated stealer into a lightweight backdoor,” highlighting how commodity malware can pivot into a persistent foothold for ransomware or espionage.

The campaign has been active since February and targets users who rely on cryptocurrency wallets. Attackers use USB drives as the initial infection vector, avoiding traditional installer packages and exposed IP-based command-and-control servers. Once on a computer, the malware deploys two obfuscated JavaScript payloads in the Windows Documents directory and schedules automated tasks to spread to other USB devices and exfiltrate data. This design makes the infection self-propagating and difficult to trace back to a central server.

Clipboard hijacking and wallet address substitution

The core theft mechanism is clipboard hijacking performed at high frequency. Every time a user copies a wallet address, recovery phrase, or private key, the malware intercepts the data and replaces it with an attacker-controlled address. The same mechanism captures BIP39 mnemonic seed phrases and private keys for Bitcoin and Ethereum, which are stored locally and exfiltrated to hidden servers. Victims may not notice the substitution because the malware also captures screenshots of the desktop, providing visual confirmation of the copied content.

In addition to address swapping, the malware monitors the clipboard for high-value financial artifacts and logs keystrokes related to cryptocurrency applications. This dual approach increases the chance of capturing sensitive wallet information even when users paste slowly or use multi-step workflows. Because the theft happens at the operating-system level, it bypasses wallet-specific security features and works against both hot wallets and cold-storage setups that rely on manual address entry.

Hidden Tor client and onion-routed command-and-control

After the initial compromise, the malware secretly installs a renamed copy of the Tor client as ugate.exe in the user profile directory. This disguised executable then establishes encrypted, anonymized connections to hidden onion services operated by the attackers. Using Tor for command-and-control removes the need for exposed IP addresses and makes takedown efforts harder, while also allowing the operators to pivot the infection into a full remote access backdoor.

The Tor-based infrastructure supports two-way communication: stolen data is uploaded, and new commands are downloaded and executed. Attackers can push arbitrary payloads, update the malware, or deliver secondary stages such as ransomware or spyware. The combination of clipboard targeting, screenshot capture, and remote code execution gives operators both immediate monetization through cryptocurrency theft and long-term control over compromised devices.

Self-spreading worm component on USB storage

The malware includes a worm component that automatically propagates to any USB storage device connected to an infected machine. It hides legitimate files and replaces them with identical-looking shortcuts that launch the malicious JavaScript payload instead. When users double-click what appears to be a document or folder, the malware executes and continues the cycle on the new host. This shortcut-based technique is a well-known social-engineering vector that bypasses many endpoint protections focused on executable files.

Because the worm operates at the file-system level, it can spread even when USB auto-run is disabled and without requiring administrative privileges. The only prerequisite is that the victim opens the seemingly normal shortcut, making it effective against casual users and small businesses that may not enforce strict USB policies. Once a new machine is infected, the same cycle of clipboard monitoring, data theft, and backdoor establishment begins anew.

Trading isn't a casino. Stop gambling.

Real results from MEFAI's AI. Get $50 off the Pro plan.

Claim $50 off Pro →

Sponsored · Past performance is not indicative of future results. Not financial advice.

Persistent scheduled tasks and obfuscated payloads

To survive reboots and remain undetected, the malware creates scheduled tasks that launch the obfuscated JavaScript payloads at system start-up. The scripts are heavily obfuscated with junk code and dynamic string generation to evade signature-based antivirus detections. This approach allows the malware to persist without writing traditional executables to disk, making it harder for incident responders to locate the primary entry point.

The use of JavaScript also simplifies delivery because scripts can be embedded directly in shortcut files or delivered via seemingly innocuous documents. Endpoint detection and response products that rely on behavioral analysis can catch the high-frequency clipboard access and Tor traffic, but many consumer-grade protections may miss these subtle indicators. Organizations with limited logging may struggle to reconstruct the initial infection chain months after the event.

Financial motivation meets long-term compromise

The immediate goal of the campaign is financial: steal cryptocurrency by replacing wallet addresses and capturing private keys. However, the installation of a backdoor means the compromise does not end with the theft. Attackers can deploy additional malware, move laterally across networks, or hold data for ransom. This dual-purpose design mirrors recent trends where info stealers evolve into droppers for ransomware groups, effectively monetizing the same initial access multiple times.

Cryptocurrency wallets are high-value targets because they combine liquid assets with weak or inconsistent security practices. Many users store seed phrases in plaintext files, reuse passwords, or rely on single-signature setups without multi-factor authentication. The malware exploits these habits by capturing everything from clipboard content to screenshots, effectively turning everyday user behavior into a data breach.

What to watch next and how to reduce risk

Security teams should watch for unusual Tor traffic from endpoints, high-frequency clipboard access, and JavaScript execution from the Documents directory. Network monitoring for connections to known onion addresses can provide early warning, while endpoint detection rules should flag renamed Tor clients such as ugate.exe. User education remains critical: treat every USB drive as potentially malicious and avoid opening shortcuts or documents from untrusted sources.

Organizations can reduce risk by disabling AutoPlay for removable media, enforcing application whitelisting for scripts, and deploying endpoint detection that monitors clipboard events and scheduled tasks. Cryptocurrency users should adopt hardware wallets with screen verification, avoid copying private keys to the clipboard, and store seed phrases offline in tamper-evident containers. Multi-signature setups and address-book whitelisting can further limit the impact of address substitution attacks.

Why this campaign matters beyond crypto theft

This malware illustrates how commodity threats can escalate from simple theft to full system compromise with minimal infrastructure. By leveraging USB drives, Tor, and scheduled tasks, the operators avoid traditional detection surfaces while maintaining persistent access. The campaign also highlights the risks of clipboard-based workflows in financial applications, where a single paste operation can lead to irreversible asset loss.

For enterprises, the backdoor capability means that even if stolen funds are recovered, the compromised machine remains a foothold for future attacks. Incident responders should assume that any device that touched an infected USB drive may need a full rebuild, regardless of whether cryptocurrency was actually stolen. This broader scope of compromise underscores the need for layered defenses that combine hardware controls, software restrictions, and user awareness.