USB LNK Worm Turns Clipboard Theft Into a Tor-Backed Windows Backdoor

The USB LNK worm campaign highlights a familiar but still dangerous attack path: removable media. Instead of relying on phishing emails or malicious installers, the malware abuses Windows shortcut files placed on USB storage devices. When a user opens what appears to be a normal document, the shortcut executes malware in the background.

This campaign is especially concerning because it does more than steal cryptocurrency wallet addresses. The Windows clipper malware monitors clipboard activity, replaces copied wallet values with attacker-controlled addresses, captures screenshots, communicates through Tor, and accepts commands from its command-and-control server.

That combination turns clipboard hijacking into a broader backdoor risk. For enterprises, the lesson is clear: unmanaged USB access can expose endpoints to stealthy malware that blends financial theft, persistence, and remote control.

How the USB LNK Worm Infection Works

The attack begins with malicious Windows shortcut files distributed through USB storage devices. These .lnk files appear to represent familiar document types, such as Word files, Excel spreadsheets, or PDFs. In reality, they contain arguments that trigger the worm payload.

Once executed, the malware checks whether the device is already infected. If not, it retrieves and deploys additional payloads. It also scans the USB drive for common document files, hides the original files, and creates new shortcut files with the same names.

This tactic increases the chance of reinfection and propagation. A user may think they are opening a legitimate document from the USB drive, but they are actually launching the worm again. If that same USB drive moves to another machine, the infection chain can continue.

The worm also creates scheduled tasks to maintain persistence. This means the malware can continue running after restart and can keep watching for new USB drives to infect.

Clipboard Hijacking Is the Core Financial Threat

The clipper component focuses on cryptocurrency theft. Clipper malware monitors clipboard content because users frequently copy and paste wallet addresses, private keys, or seed phrases during crypto transactions.

In this campaign, the malware checks clipboard data at high frequency. When it detects wallet-related patterns, it can extract seed phrases or private keys and send them to the attacker. It can also replace copied cryptocurrency wallet addresses with attacker-controlled alternatives.

This is what makes clipboard hijacking so dangerous. The user may copy the correct destination address, but the malware silently swaps it before the paste action. If the user does not manually verify the full address, funds can be sent directly to the attacker.

The malware reportedly targets multiple wallet formats, including Bitcoin, Ethereum, Tron, and Monero-related values. It also captures screenshots to give attackers more context about the victim’s wallet, balance, or transaction workflow.

How Hexnode Helps Strengthen Removable Media Security

Hexnode UEM helps organizations manage Windows endpoints and reduce the risks associated with unmanaged removable media.

With Hexnode UEM Media Management for Windows, administrators can control how managed Windows 10 Pro, Enterprise, and Education devices and Windows 11 Pro, Enterprise, and Education devices interact with removable disks. They can:

• Block removable disks completely
• Configure removable disks as read-only
• Control read access for removable disks
• Control write access for removable disks
• Control execute access for removable disks

For threats like a USB LNK worm, execute restrictions are especially important. If users can view files but cannot run executables or scripts from removable storage, organizations reduce the attack surface created by untrusted USB devices.

Featured Resource

Why Hexnode UEM

Discover how Hexnode UEM simplifies endpoint management, strengthens security, and drives business success.

Download the brochure

Hexnode UEM also supports Microsoft Defender configuration for Windows devices. Through policy, administrators can:

• Configure Microsoft Defender settings
• Use Microsoft Defender Application Guard settings to control clipboard behavior within isolated browser sessions. However, Microsoft Defender Application Guard is deprecated for Microsoft Edge for Business and is no longer available starting with Windows 11, version 24H2.

Hexnode XDR and UEM integration can further support incident response. Documented remediation workflows help security teams:

• Detect anomalies such as unauthorized process execution
• Identify known malware signatures
• Validate threat context
• Isolate affected devices from the network
• Terminate suspicious processes based on device severity

This matters because USB-based malware often needs fast containment.

If Hexnode XDR detects unauthorized process execution, known malware signatures, or high-severity threat signatures, security teams can isolate the affected device and terminate malicious processes.

Conclusion

The USB LNK worm campaign shows how a removable media infection can evolve into a serious endpoint compromise. What starts as a malicious shortcut on a USB drive can become persistent Windows clipper malware with clipboard hijacking, screenshot theft, Tor-based command-and-control, and runtime code execution.

For organizations, the threat reinforces a simple point: removable media security cannot depend on trust or user caution alone. Enterprises need enforceable USB controls, strong endpoint policies, behavioral detection, and rapid containment workflows.

By managing USB access, restricting execution from removable disks, configuring endpoint security policies, and responding quickly to suspicious activity, organizations can reduce the risk of USB-borne malware turning into a wider security incident.