What data does the malware target?

The malware monitors clipboard activity to detect and replace cryptocurrency wallet addresses, captures screenshots, and exfiltrates data via the Tor network.

How can users protect themselves from this threat?

Users should avoid opening unknown USB devices, disable autorun features, maintain updated antivirus software, and exercise caution when handling removable media.

USB Worm Targets Cryptocurrency Wallets via Windows Shortcut Files

A new USB worm is spreading crypto-stealing malware through Windows shortcut files, compromising cryptocurrency wallets and highlighting the need for enhanced security measures.

Published: June 19, 2026

Share this on:

Executive Summary

In June 2026, a sophisticated USB worm emerged, targeting cryptocurrency wallets by distributing clipboard-stealing malware through Windows shortcut (LNK) files on USB drives. Upon execution, the malware scans the system for document files, hides the originals, and replaces them with malicious shortcuts. It monitors clipboard activity to detect and replace cryptocurrency wallet addresses with those controlled by the attacker, captures screenshots, and exfiltrates data via the Tor network. The worm also propagates by copying itself to newly connected USB devices, facilitating further spread.

This incident underscores the evolving tactics of threat actors leveraging removable media to infiltrate systems, emphasizing the need for heightened vigilance and robust security measures to protect sensitive financial information.

Why This Matters Now

The resurgence of USB-based malware highlights the persistent threat posed by removable media as an infection vector, necessitating immediate attention to endpoint security and user awareness to prevent data breaches and financial losses.

Attack Path Analysis

The attack began with the victim opening a malicious LNK file on a USB drive, leading to the execution of malware that replaced legitimate document files with malicious shortcuts. The malware then established persistence by creating a scheduled task to monitor for newly connected USB devices, enabling it to propagate to other systems. It communicated with its command-and-control server over the Tor network, allowing remote control and data exfiltration. The malware monitored the clipboard for cryptocurrency wallet addresses, replacing them with those controlled by the attacker, and captured screenshots of the victim's screen, exfiltrating them over Tor. The impact included unauthorized access to sensitive information and potential financial loss due to the theft of cryptocurrency assets.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

High

Lateral Movement

High

Command & Control

High

Exfiltration

High

Impact

High

Initial Compromise

Description

The victim opened a malicious LNK file on a USB drive, leading to the execution of malware that replaced legitimate document files with malicious shortcuts.

Confidence:

High

MITRE ATT&CK® Techniques

Lateral Movement

T1091

Replication Through Removable Media

Persistence

T1547.009

Shortcut Modification

Defense Evasion

T1027.012

LNK Icon Smuggling

Collection

T1115

Clipboard Data

Collection

T1113

Screen Capture

Command and Control

T1090.003

Multi-hop Proxy: Tor

Execution

T1059.007

Command and Scripting Interpreter: JavaScript

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Malware Protection

Control ID: 6.2.3

The incident demonstrates a failure to protect systems from malware, as the worm exploited removable media to spread and compromised sensitive data.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

The attack indicates inadequacies in the organization's cybersecurity policy, particularly in managing risks associated with removable media and malware propagation.

DORA – ICT Risk Management Framework

Control ID: Article 5

The breach highlights deficiencies in the ICT risk management framework, especially concerning the detection and mitigation of malware threats.

CISA ZTMM 2.0 – Device Security

Control ID: 3.1

The incident reveals gaps in device security controls, as the malware leveraged USB devices to infiltrate systems, indicating a need for stricter device management policies.

NIS2 Directive – Cybersecurity Risk Management Measures

Control ID: Article 21

The attack underscores the necessity for enhanced cybersecurity risk management measures, particularly in controlling the use of removable media and monitoring for unauthorized data exfiltration.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Financial Services

Critical exposure to USB-propagated crypto-stealing malware targeting wallet addresses, seed phrases, and private keys through clipboard monitoring and screenshot capture via Tor networks.

Investment Banking/Venture

High risk from infostealer malware targeting cryptocurrency assets through USB worm propagation, clipboard hijacking, and encrypted C2 communications bypassing traditional network security controls.

Information Technology/IT

Significant vulnerability to USB-based worm propagation using LNK files, requiring enhanced egress filtering and east-west traffic monitoring to prevent lateral movement and data exfiltration.

Computer/Network Security

Direct impact from advanced persistent threats using Tor networks and behavioral evasion techniques, challenging traditional signature-based detection and requiring zero trust segmentation implementations.

Sources

USB worm spreads crypto-stealing malware via Windows shortcut fileshttps://www.bleepingcomputer.com/news/security/usb-worm-spreads-crypto-stealing-malware-via-windows-shortcut-files/
Verified

Raspberry Robin worm part of larger ecosystem facilitating pre-ransomware activityhttps://www.microsoft.com/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/

Verified

Worm:Win32/Dorkbot!lnk threat descriptionhttps://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Worm%3AWin32%2FDorkbot!lnk

Verified

Frequently Asked Questions

The worm propagates by copying itself to newly connected USB devices and creating malicious shortcut files, enabling it to spread to other systems when the infected USB is used.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it would likely limit the malware's ability to propagate and exfiltrate data by enforcing strict segmentation and controlled egress policies.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: The malware's ability to execute and replace legitimate files would likely be constrained, reducing the initial foothold within the environment.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: The malware's ability to establish persistence and monitor for USB devices would likely be limited, reducing its capacity to propagate.

Lateral Movement

Control: East-West Traffic Security

Mitigation: The malware's ability to move laterally to other systems would likely be constrained, reducing the spread of infection.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: The malware's ability to establish command-and-control channels over the Tor network would likely be limited, reducing remote control capabilities.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: The malware's ability to exfiltrate data over Tor would likely be constrained, reducing the risk of data loss.

Impact (Mitigations)

The potential financial loss and unauthorized access to sensitive information would likely be reduced, limiting the overall impact of the attack.

Impact at a Glance

Affected Business Functions

Cryptocurrency Transactions
Financial Data Management
User Account Security

Operational Disruption

Estimated downtime: 3 days

Financial Impact

Estimated loss: $50,000

Data Exposure

Exposure of cryptocurrency wallet addresses, seed phrases, and private keys.

Recommended Actions

• Implement strict policies to disable autorun features for removable media to prevent automatic execution of malicious files.
• Deploy endpoint detection and response solutions to monitor for and block execution of suspicious processes associated with removable media.
• Educate users on the risks of using unknown USB devices and the importance of not opening unknown files.
• Utilize network monitoring tools to detect and block unauthorized communications over anonymizing networks like Tor.
• Regularly update and patch systems to mitigate vulnerabilities exploited by malware.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

USB Worm Targets Cryptocurrency Wallets via Windows Shortcut Files

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

MITRE ATT&CK® Techniques

Replication Through Removable Media

Shortcut Modification

LNK Icon Smuggling

Clipboard Data

Screen Capture

Multi-hop Proxy: Tor

Command and Scripting Interpreter: JavaScript

Potential Compliance Exposure

PCI DSS 4.0 – Malware Protection

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Device Security

NIS2 Directive – Cybersecurity Risk Management Measures

Sector Implications

Financial Services

Investment Banking/Venture

Information Technology/IT

Computer/Network Security

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads