Microsoft Details Active USB LNK Worm Deploying Tor-Based Clipper

Microsoft has published analysis of a cryptocurrency-stealing campaign that has been running since February 2026, and the combination of techniques is what makes it worth paying attention to. The malware family is a clipper, meaning its core job is to monitor the Windows clipboard and silently replace cryptocurrency wallet addresses with attacker-controlled ones as victims copy them. According to The Hacker News, the campaign layers on top of that a USB worm, seed-phrase and private-key extraction, and screenshot capture, making it closer to a full financial data-stealer than a simple address swapper.

The USB spread mechanism is the part that deserves attention from defenders. The worm plants malicious Windows Shortcut files on USB drives, but it does not just add obvious new files. It scans for common document types including DOC, XLSX, and PDF files, hides the originals, and replaces them with LNK shortcuts carrying identical names. A user who plugs in a USB drive and tries to open what they believe is a spreadsheet instead executes the malware. This sidesteps email filters, web proxies, and download controls entirely, and the worm checks for prior infection before downloading additional payloads, managing its own footprint as it spreads.

The C2 design is where the campaign becomes harder to address at the network layer. Rather than communicating with fixed IP addresses or domain names that defenders can blocklist, the malware deploys a portable Tor client and routes traffic through a local SOCKS5 proxy, exfiltrating screenshots and clipboard data over the Tor network. The Tor binary is renamed to avoid simple process-name detection, and the malware exits if it detects Task Manager running, adding a layer of operational awareness uncommon in simpler clippers.

What the reporting does not give you is a confirmed victim count, a stolen-funds figure, or any threat-actor attribution, so take the campaign's scale as reported rather than settled. Microsoft's defensive guidance is concrete regardless: behavioral detections watching for renamed Tor binaries, SOCKS5 proxy creation from script engines, and clipboard polling at 500-millisecond intervals are more likely to catch this than any static signature. Disabling AutoRun for removable media and locking down LNK execution from USB drives via Group Policy are the highest-leverage low-effort controls available, and they cut off the initial access class entirely, not just this specific campaign.