USB-spreading clipboard-stealing malware targeting cryptocurrency wallets
Malware Activity
Summary
Hide ▲
Show ▼
A USB-spreading clipboard-stealing malware family is actively stealing seed phrases, private keys, and wallet addresses from Windows victims, putting cryptocurrency funds at direct risk. The malware also captures screenshots and sends stolen data over Tor, making detection and takedown harder. Its use of LNK shortcut files on removable drives gives it a worm-like propagation path across connected systems.
Related Happenings
Windows cryptocurrency clipper campaign targeting users via USB LNK worms
Campaign
H score32
First: 18.06.2026 17:30
Last: 18.06.2026 17:30
Sources 1
How related:
The campaign has been active since at least February and relies on LNK (shortcut) files on USB drives to push clipper malware that monitors clipboard contents and replaces cryptocurrency wallet addresses with ones controlled by the attacker.
About this happening:
A **Windows cryptocurrency clipper campaign** is actively targeting users since **February 2026**, putting clipboard data, wallet addresses, and seed phrases at risk. The operatio...
Windows cryptocurrency clipper campaign targeting users via USB LNK worms
CampaignHow related: The campaign has been active since at least February and relies on LNK (shortcut) files on USB drives to push clipper malware that monitors clipboard contents and replaces cryptocurrency wallet addresses with ones controlled by the attacker.
About this happening: A **Windows cryptocurrency clipper campaign** is actively targeting users since **February 2026**, putting clipboard data, wallet addresses, and seed phrases at risk. The operatio...
Windows cryptocurrency clipper malware using USB LNK worming and Tor C2
Malware Activity
H score29
First: 18.06.2026 17:30
Last: 18.06.2026 17:30
Sources 1
About this happening:
A **Windows-based cryptocurrency clipper** has been active since **February 2026**, using **USB-delivered LNK** worming to steal wallet data and reroute payments. The malware adds...
Windows cryptocurrency clipper malware using USB LNK worming and Tor C2
Malware ActivityAbout this happening: A **Windows-based cryptocurrency clipper** has been active since **February 2026**, using **USB-delivered LNK** worming to steal wallet data and reroute payments. The malware adds...
SHub Reaper macOS infostealer variant
Malware Activity
H score23
First: 19.05.2026 00:42
Last: 19.05.2026 00:42
Sources 1
About this happening:
The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...
SHub Reaper macOS infostealer variant
Malware ActivityAbout this happening: The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...
Venom Stealer MaaS continuous credential theft and exfiltration
Malware Activity
H score29
First: 01.04.2026 16:30
Last: 01.04.2026 16:30
Sources 1
About this happening:
The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...
Venom Stealer MaaS continuous credential theft and exfiltration
Malware ActivityAbout this happening: The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...
DeepLoad credential-stealing malware activity with WMI persistence
Malware Activity
H score30
First: 31.03.2026 00:25
Last: 31.03.2026 00:25
Sources 1
About this happening:
The **DeepLoad** malware strain is stealing credentials immediately after infection, exposing **stored browser passwords**, **live keystrokes**, and **active accounts** in **enter...
DeepLoad credential-stealing malware activity with WMI persistence
Malware ActivityAbout this happening: The **DeepLoad** malware strain is stealing credentials immediately after infection, exposing **stored browser passwords**, **live keystrokes**, and **active accounts** in **enter...
Timeline
-
18.06.2026 19:20 2 articles · 1h ago
USB worm steals cryptocurrency wallet data through shortcut files
Technical Analysis UpdateMicrosoft says a USB-spreading worm active since at least February uses LNK shortcut files on removable drives to launch clipper malware on Windows systems, replace cryptocurrency wallet addresses with attacker-controlled ones, monitor clipboard contents for 12-word and 24-word BIP39 seed phrases plus private keys, capture screenshots for exfiltration over Tor, and support self-spreading plus remote code execution.
Show sources
- USB worm spreads crypto-stealing malware via Windows shortcut files — www.bleepingcomputer.com — 18.06.2026 19:20
- USB worm spreads crypto-stealing malware via Windows shortcut files — www.bleepingcomputer.com — 18.06.2026 19:20