Threat actors are employing a new, highly evasive campaign to compromise cryptocurrency holdings. This ongoing operation, active since at least February, leverages malicious **LNK** (shortcut) files on USB drives to distribute a potent clipper malware. ### Infection and Worm Propagation According to **Microsoft** researchers, the initial infection begins when a user opens a seemingly innocuous **LNK** file from a USB drive. This action triggers the execution of the malware, which then stages additional payloads from a `.ONION` address, indicative of **Tor** network usage. Upon execution, the malware scans the local system for document files. It then hides the original documents and replaces them with malicious shortcut files bearing the same names. This cunning tactic ensures that any attempt to open these documents will re-execute the malware. Furthermore, the worm establishes a scheduled task to monitor for newly connected USB storage devices. When a removable drive is detected, the malware automatically copies itself to the device and creates more malicious shortcut files, perpetuating its spread.  *Execution flow overview (Source: Microsoft)* ### Data Stealer Capabilities The malware's stealer component activates only after confirming that **Task Manager** is inactive, a common anti-analysis technique. It then establishes communication with its command-and-control (C2) server using a **Tor** executable named `ugate.exe`. Every half-second, the malware meticulously checks the clipboard for a wide array of cryptocurrency-related data, including: * 12-word and 24-word **BIP39** seed phrases * **Ethereum** private keys * **Bitcoin WIF** keys * **Bitcoin** legacy, **P2SH**, **Bech32**, and **Taproot** wallet addresses * **Tron** wallet addresses * **Monero** wallet addresses The malware's sophistication extends to its address replacement strategy. It selects attacker-controlled wallet addresses that partially resemble the victim's original addresses, aiming to reduce the chance of immediate detection by a quick glance.  *Function to replace the wallet address (Source: Microsoft)* Beyond clipboard monitoring, the malware also captures five screenshots of the victim's screen every ten seconds. These visual records are then exfiltrated to the C2 server using the `curl` tool. **Microsoft** also reports that the malware supports remote code execution. A C2 `EVAL` instruction can trigger the download of JavaScript content into a file named `cfile`, which is then executed on the infected machine. ### Detection and Mitigation Researchers emphasize that the strongest indicators of this infection are behavioral rather than signature-based. They recommend vigilant monitoring for specific process activities, including `wscript.exe` and `cscript.exe`, unexpected launches of `curl`, **PowerShell**, and `cmd.exe`, and any unusual child processes. Furthermore, connections to `localhost:9050` and any observed **Tor** proxy activity should be considered significant red flags associated with this campaign. IT security professionals are advised to implement robust endpoint detection and response (EDR) solutions and educate users on the risks associated with opening unknown files from USB drives.