The threat landscape has gained a specimen that merges old techniques with modern anonymity tools. Microsoft Threat Intelligence has uncovered a worm that propagates through USB drives and steals cryptocurrency without ever touching the file system in an obvious way. An infected pendrive and a moment of carelessness are enough for the silent agent to start watching the Windows clipboard.

How the worm operates

The malware installs itself via AutoRun or social engineering tied to removable media. Once active, it continuously scans the clipboard for patterns matching Bitcoin, Ethereum, and other wallet addresses. It goes further: it is designed to recognize seed phrases – the word sequences that can reconstruct an entire wallet. When valid data is found, the worm either silently replaces it with an attacker‑controlled address or exfiltrates it. The real twist lies in the exfiltration path: all stolen traffic is routed through a portable Tor client bundled with the worm, making it far harder for network monitoring tools to trace the final destination.

Why Tor changes the game

Instead of connecting to a traditional C2 server, the malware builds Tor circuits directly from the compromised machine. This approach bypasses many perimeter filters because the traffic looks like ordinary browsing to Tor nodes, which are often not blocked in enterprise networks. For those managing on‑premise infrastructure, the message is clear: the classic network perimeter is not enough. A Tor client living inside a malicious executable renders DNS blacklists useless and complicates forensic analysis.

The on‑premise angle and the removable‑media blind spot

The episode hits a raw nerve for organizations that run self‑hosted servers, air‑gapped labs, or dedicated workstations for LLM inference on local hardware. In such settings, USB drives are frequently the only way to transfer models, datasets, or updates, creating a physical channel that endpoint protection systems struggle to inspect in real time. Should a worm of this kind reach a compute node, it could not only steal credentials but also siphon off sensitive data, undermining the very data sovereignty sought through local deployment. This is not speculation: supply‑chain attack chronicles show that removable media are back in vogue, fueled by hybrid work and distributed resource management.

What it means for those designing self‑hosted architectures

The arrival of this variant does not force anyone to abandon physical media, but it does demand a rethink of security policies. Disabling AutoRun, adopting device control software, and logging clipboard events at the system level become minimal countermeasures. From a defense‑in‑depth perspective, anyone managing training or inference clusters should consider isolating machines that handle wallets or seed phrases, keeping them strictly separate from general‑purpose compute nodes. The lesson echoes what has already emerged in industrial settings: physical and logical security must never be decoupled.

Microsoft’s analysis confirms the campaign has been active at least since February 2026 – enough time for the code to evolve. That the attackers invested in integrating Tor signals a deliberate pursuit of persistence and stealth, a hallmark of groups with a well‑defined economic model. For those who design and protect on‑premise infrastructure, the takeaway is not to assume that localizing data alone guarantees confidentiality: the attack surface always widens where you least expect it.