Microsoft has uncovered a malware campaign that has been active since at least February. The malware spreads via USB drives using LNK files and is wormable, copying itself to newly connected removable drives. Once executed, it monitors the clipboard for cryptocurrency wallet addresses, replacing them with attacker-controlled ones. It also targets BIP39 seed phrases, Ethereum and Bitcoin private keys, and wallet addresses for Bitcoin, Tron, and Monero. The malware establishes command-and-control communication over the Tor network using a bundled Tor executable (ugate.exe), and exfiltrates screenshots and stolen data via curl. It can receive EVAL commands for remote code execution, downloading and executing JavaScript payloads. Microsoft emphasizes that behavioral indicators such as unusual process activity (wscript.exe, cscript.exe), unexpected launches of curl, PowerShell, cmd.exe, and connections to localhost:9050 are key red flags.

Key facts

• Malware spreads via USB drives using LNK files and worm-like self-propagation.
• Replaces clipboard cryptocurrency wallet addresses with attacker-controlled ones.
• Steals BIP39 seed phrases, Ethereum/Bitcoin private keys, and wallet addresses.
• Communicates via Tor, exfiltrates data and allows remote code execution.
• Behavioral detection key: watch for wscript.exe, curl, Tor proxy connections.

KeyAudit data perspective