How does this malware spread?

The worm spreads via USB drives using Windows shortcut files (.lnk). When an infected device is connected, the malware automatically copies itself to new media and executes through autorun vulnerabilities.

What data does the malware target?

The primary target is cryptocurrency wallets. The malware monitors clipboard activity and replaces wallet addresses with those controlled by attackers, redirecting transactions.

How can I protect against such attacks?

Disable autorun for removable media, use antivirus software with anti-phishing protection, and keep your OS and applications updated. Always inspect suspicious shortcut files and avoid connecting unknown USB devices.

← All news

Security

USB-Delivered Worm Steals Cryptocurrency via Windows Shortcuts

June 19, 2026

Photo: BleepingComputer

Quick answer

Cybercriminals are distributing a self-replicating USB worm that steals cryptocurrency wallet data by hijacking clipboard contents through Windows shortcut files.

Cybercriminals have intensified attacks on cryptocurrency users by distributing malware via USB drives. The new worm exploits Windows shortcut files (.lnk) for execution and can autonomously replicate across connected devices, making it particularly dangerous for corporate networks.

The malware targets cryptocurrency wallet data by monitoring clipboard activity and replacing wallet addresses with those controlled by attackers, enabling transaction redirection. Attackers use the Tor network to mask traffic, complicating detection.

Cybersecurity experts note that such attacks often originate from phishing emails or infected USB devices. To mitigate risks, they recommend disabling autorun for removable media, deploying antivirus solutions with anti-phishing capabilities, and regularly updating operating systems and applications.

Special attention should be given to inspecting shortcut files on removable media. Suspicious .lnk files may contain malicious code. Avoid connecting unknown USB drives to work devices, especially in office environments.

Common questions

How does this malware spread?: The worm spreads via USB drives using Windows shortcut files (.lnk). When an infected device is connected, the malware automatically copies itself to new media and executes through autorun vulnerabilities.
What data does the malware target?: The primary target is cryptocurrency wallets. The malware monitors clipboard activity and replaces wallet addresses with those controlled by attackers, redirecting transactions.
How can I protect against such attacks?: Disable autorun for removable media, use antivirus software with anti-phishing protection, and keep your OS and applications updated. Always inspect suspicious shortcut files and avoid connecting unknown USB devices.

Dzen feed: /feed/dzen.xml · RSS: /feed.xml