Microsoft Threat Intelligence has described a piece of Windows malware that, since February 2026, has been spreading through USB drives and infecting computers. Once inside a system, it hunts for crypto wallet data and swaps out copied recipient addresses, while also opening up remote access to the machine for the attacker.
How the Trojan Works
The infection starts by tampering with the files on a flash drive. The program locates ordinary documents, hides them, and puts fake icons with the same names in their place. A person opens what they think is their own file and ends up running malicious code.
Inside, the program splits into two parts: one component spreads onto every new flash drive, the other steals wallet data. Both write themselves into the task scheduler and relaunch themselves after a reboot. When it launches, the program first checks running processes and shuts itself down if Task Manager is open, so it doesn't fall into an analyst's hands. The code is stored encrypted and only reveals itself the moment it runs.
The trojan checks the clipboard twice a second. Once it catches a copied wallet address, it swaps it out for the attacker's address. Few people compare an address in full — most users just glance at the first and last characters. The swap is built around exactly this habit: the end digits match, and nothing tips the person off.
The program also pulls seed phrases and private wallet keys out of the clipboard. It sends the data it collects to the attacker's server and only wipes its own copy after confirming the data arrived; and so the attacker can size up the haul right away, it takes several screenshots seconds apart — showing the victim's wallets and the balances in their accounts.
The program finds its command-and-control server not through an ordinary address, but through the anonymous Tor network. This hides the server's real location and prevents the connection from being cut off with a simple block.
How to Protect Your Data
Microsoft advises watching for oddities in how the system behaves: unfamiliar processes launched by service scripts, connections to a local proxy, screen-capture commands, traces of address swapping. It also recommends disabling autorun for removable media, blocking the opening of shortcuts from external drives, and restricting the scripting utilities used to launch code.
This post is for informational purposes only and does not constitute advertising or investment advice. Please do your own research before making any decisions.
