USB worm spreads crypto-stealing malware via Windows shortcut files

A newly discovered USB worm spreads cryptocurrency-stealing malware through Windows shortcut (.LNK) files, allowing threat actors to compromise crypto wallets across networks without user awareness.

The malware uses a self-propagation mechanism that targets USB devices connected to infected systems. When users insert contaminated USB drives into Windows machines, the shortcut files trigger malicious execution. The worm then copies itself to new USB devices, creating a chain of infection across multiple systems and networks.

The payload focuses on clipboard theft, a technique that intercepts wallet addresses copied by users. When victims prepare to send cryptocurrency to legitimate addresses, the malware replaces the clipboard content with attacker-controlled wallet addresses. This substitution occurs silently, causing users to send funds to threat actors instead of intended recipients.

Threat actors route command-and-control communications through the Tor network, masking their infrastructure and complicating attribution and takedown efforts. This approach provides resilience against network-level blocking and law enforcement tracking.

Windows shortcut files serve as the infection vector because they execute without triggering standard antivirus alerts. Users trust .LNK files as harmless references, making social engineering campaigns effective. The shortcut file approach bypasses traditional execution restrictions on USB media.

The self-spreading behavior distinguishes this threat from conventional malware. Once a system becomes infected, the worm automatically propagates to any connected USB device, converting them into infection vectors. This creates exponential growth potential across corporate networks, shared workstations, and personal devices.

Cryptocurrency users face direct financial loss through clipboard theft. Organizations with employees handling crypto transactions or managing hardware wallets require immediate mitigation. Corporate networks lacking USB restrictions face rapid lateral movement risk.

Security teams should disable USB autorun features, implement application whitelisting to block unsigned executables, and restrict USB device access where possible. Users handling cryptocurrency should verify wallet addresses through independent