USB LNK Worm Deploys Tor-Routed Crypto Clipper Swapping Wallet Addresses Every 500ms

The malware uses a two-stage LNK worm that first checks for prior infection, then deploys scheduled tasks for persistence before fetching the clipper payload. The clipper monitors the clipboard at 500-millisecond intervals, matches wallet patterns, and substitutes attacker addresses while exfiltrating screenshots and seed phrases through a local SOCKS5 proxy to a Tor hidden service. It also exits if Task Manager is detected and supports runtime EVAL commands for additional code execution.

Evidence from contract and procurement patterns shows this approach mirrors earlier financially motivated USB vectors that avoided IP-based infrastructure. The combination of WScript/ActiveX logic, renamed Tor binaries, and document-masking LNK files creates a low-signature propagation path that static signatures miss. Microsoft’s own telemetry indicates the campaign targets users handling direct crypto transactions rather than broad enterprise networks.

Independent analysis of similar LNK worms reveals the worm’s USB scanning for DOC, XLSX, and PDF files enables rapid lateral movement across air-gapped or infrequently updated systems. Official Microsoft guidance correctly emphasizes behavioral detection over signatures, yet omits the operational risk that scheduled-task persistence survives many USB-remediation playbooks.

Next steps include Group Policy blocks on LNK execution from removable media and monitoring for unexpected wscript.exe invocations tied to clipboard APIs. Widespread adoption of these controls will determine whether the campaign’s USB vector remains viable beyond 2026.