Microsoft discovered a new self-propagating malware called Crypto Clipper that spreads via USB drives, monitors clipboard for cryptocurrency credentials and seed phrases, and exfiltrates data via Tor.
<p>Microsoft says it has detected new self-propagating malware that spreads through USB drives in search of cryptocurrency credentials, which it then sends to attacker-controlled servers.</p>
<p>The company named the worm Crypto Clipper because it monitors the contents of device clipboards for patterns consistent with wallet addresses or seed phrases. When found, the malware also takes five screenshots over a 10-second period. Both the credentials and the screenshots are then sent to the attacker through Tor, a network protocol that provides anonymous routing by sending traffic through redundant nodes so logs can’t capture both the sending and receiving IP addresses. Crypto Clipper establishes the Tor connection by using a SOCKS5 proxy, a network protocol that sends traffic through a proxy server, which then forwards it to its final destination.</p>
<h2>A lightweight backdoor</h2>
<p>“The execution of this clipper is notable because it does not depend on a traditional installer or exposed IP-based C2 infrastructure,” Microsoft <a href="https://www.microsoft.com/en-us/security/blog/2026/06/17/crypto-clipper-uses-tor-worm-like-propagation-for-persistence-control/">said</a> Thursday. “Instead, it deploys a portable Tor client, routes traffic through a local SOCKS5 proxy, and blends data theft with remote code execution, turning a financially motivated stealer into a lightweight backdoor.”</p><p><a href="https://arstechnica.com/security/2026/06/microsoft-spots-new-self-propagating-malware-for-stealing-cryptocurrency/">Read full article</a></p>
<p><a href="https://arstechnica.com/security/2026/06/microsoft-spots-new-self-propagating-malware-for-stealing-cryptocurrency/#comments">Comments</a></p>
# Microsoft discovers new lightweight backdoor that steals cryptocurrency
Source: [https://arstechnica.com/security/2026/06/microsoft-spots-new-self-propagating-malware-for-stealing-cryptocurrency/](https://arstechnica.com/security/2026/06/microsoft-spots-new-self-propagating-malware-for-stealing-cryptocurrency/)
Microsoft says it has detected new self\-propagating malware that spreads through USB drives in search of cryptocurrency credentials, which it then sends to attacker\-controlled servers\.
The company named the worm Crypto Clipper because it monitors the contents of device clipboards for patterns consistent with wallet addresses or seed phrases\. When found, the malware also takes five screenshots over a 10\-second period\. Both the credentials and the screenshots are then sent to the attacker through Tor, a network protocol that provides anonymous routing by sending traffic through redundant nodes so logs can’t capture both the sending and receiving IP addresses\. Crypto Clipper establishes the Tor connection by using a SOCKS5 proxy, a network protocol that sends traffic through a proxy server, which then forwards it to its final destination\.
## A lightweight backdoor
“The execution of this clipper is notable because it does not depend on a traditional installer or exposed IP\-based C2 infrastructure,” Microsoft[said](https://www.microsoft.com/en-us/security/blog/2026/06/17/crypto-clipper-uses-tor-worm-like-propagation-for-persistence-control/)Thursday\. “Instead, it deploys a portable Tor client, routes traffic through a local SOCKS5 proxy, and blends data theft with remote code execution, turning a financially motivated stealer into a lightweight backdoor\.”
Microsoft said it observed Crypto Clipper spreading through[\.lnk](https://en.wikipedia.org/wiki/Shortcut_(computing)#Microsoft_Windows)file on a USB drive\. These files store executable code\. When an infected USB drive is plugged into a device, the code checks whether it is already installed on the machine\. If it isn’t, the malware downloads it through the Tor proxy\. To better conceal evidence of the worm, the malware scans the infected USB drive and names the \.lnk files with similar names\.
A security researcher released a zero-day exploit called YellowKey that bypasses Microsoft BitLocker encryption on Windows 11 and Windows Server 2022/2025, allowing full access to locked drives using a USB stick; the exploit appears to operate as a backdoor, with files disappearing after use.
Researchers at PromptArmor demonstrate that Microsoft Copilot Cowork can be exploited via indirect prompt injection to exfiltrate files from Microsoft 365, exploiting the lack of approval for certain actions when the recipient is the active user.
Microsoft's open source projects on GitHub were hacked to inject password-stealing malware targeting AI developers using tools like Claude Code and Gemini CLI. The company temporarily removed dozens of repositories and is investigating the breach.
For the second time in weeks, Microsoft's verified open-source packages were compromised with credential-stealing malware, affecting 73 packages on GitHub. The attack, linked to threat actor TeamPCP, uses stolen OIDC tokens and spreads laterally through cloud infrastructures.