Microsoft Warns of New USB Malware Targeting Crypto Users

June 21, 2026 — Microsoft has issued a security alert about a new malware strain that spreads through USB flash drives and uses Windows shortcut files to infect devices. The so-called “clipper” malware targets cryptocurrency users by scanning clipboard data and replacing wallet addresses with attacker-controlled addresses, putting Bitcoin, Tron, and Monero funds at risk.

Immediate Details & Direct Quotes

Microsoft Defender’s security team identified the malware, which propagates through removable media by replacing files with shortcut (.lnk) files. When users execute these shortcuts, the infection triggers and installs persistent monitoring on the device.

The malware operates through anonymized Tor-powered communications to avoid detection. It continuously scans memory every 500 milliseconds for cryptocurrency addresses and BIP39 seed phrases—both 12-word and 24-word formats.

“This malware family shows how lightweight, script-based stealers can deliver outsized impact when paired with anonymized communications and runtime tasking,” the Microsoft Defender team emphasized.

Once infected, the malware captures five screenshots to provide context about wallet contents and the funds they hold. It then transmits this data, along with any detected seed phrases, to attackers’ servers.

Market Context & Reaction

As of June 21, 2026, Microsoft recommends immediate defensive measures for all Windows users who handle cryptocurrency transactions. The primary propagation vector—USB drives—makes this threat particularly dangerous for crypto users who transfer funds between offline and online devices.

The malware targets Bitcoin, Tron, and Monero addresses specifically, though its seed phrase harvesting capability threatens wallets across multiple blockchain networks. By substituting clipboard addresses with attacker-controlled ones, victims unknowingly send funds to hackers instead of intended recipients.

Microsoft’s security team identified that the malware employs countermeasures against antivirus scanning and deletion attempts, making detection and removal more challenging for standard security tools.

Background & Historical Context

This threat represents an evolution in crypto-targeting malware, combining traditional USB propagation with sophisticated real-time clipboard monitoring. Previous clipper malware variants existed but typically lacked the persistent memory scanning and Tor-based anonymization seen in this strain.

Microsoft Defender’s analysis reveals that the infection process is entirely script-based, requiring no compiled executables to spread. This lightweight approach allows the malware to evade signature-based detection methods commonly used by antivirus software.

The malware’s ability to detect “high-value financial artifacts” in clipboard data marks a significant escalation in targeting precision. Instead of broadly harvesting credentials, it specifically seeks out cryptocurrency-related information.

What This Means

Users should immediately disable autorun for content on all removable media devices. Microsoft specifically recommends blocking the execution of shortcut files from removable drives, as these have been identified as the malware’s primary propagation method.

For crypto traders and investors, the safest practice involves using hardware wallets for transaction signing and avoiding USB transfers between devices. Seed phrases should never be stored in clipboard memory or copied on potentially compromised systems.

The security team will likely release updated Defender signatures to detect this specific malware variant. Users should ensure automatic updates remain enabled and consider running manual scans after connecting any USB device.

Coin holders should verify all withdrawal addresses manually before confirming transactions, even if the address appears correct in their clipboard. This practice remains the most effective defense against address substitution attacks.