The wallet stealing component monitors the Windows clipboard, the hidden temporary memory used for copy-and-paste operations, approximately every 500 milliseconds. When a user copies a seed phrase from a crypto wallet or a private key for a Bitcoin or Ethereum wallet, the malware captures that data and sends it to the attacker’s server via the Tor network, an open source overlay that provides anonymous communication. It also takes five screenshots, ten seconds apart, and sends those as well.
The risk doesn’t stop there.
If a user copies a recipient’s address to send funds, the worm silently replaces it with an address controlled by the attacker before the user pastes it, so the transfer is forwarded to the attacker without any visible signals.
Finally, the worm spreads when a clean USB drive is plugged into the computer. It scans clean USB drive for ordinary files, Word documents, Excel sheets and PDFs, replaces them with new shortcut files with same names and infects the drive. Then the cycle continues.
Microsoft recommends disabling autorun for removable media, blocking .lnk files from running on USB drives via Group Policy, and restricting script hosts such as wscript.exe and cscript.exe. Microsoft Defender clients can also run search queries to check related activities, including connections to a local Tor proxy on port 9050.
