Back to Intelligence

USB Worm Crypto-Stealer: Detecting Shortcut-Based Attacks & Tor C2

SA
Security Arsenal Team
June 19, 2026
6 min read

Security Arsenal is tracking a concerning resurgence in physical-media-based attacks. Threat actors are actively distributing a sophisticated USB worm designed to target cryptocurrency holders. This campaign combines traditional worm-like propagation via removable media with modern stealth techniques, specifically leveraging Windows shortcut files (.lnk) for initial execution and the Tor network to obfuscate command-and-control (C2) communications.

For organizations managing high-value assets or even employees with personal crypto wallets on BYOD devices, this represents a tangible physical-to-digital threat. The worm’s ability to self-propagate means a single compromised USB drive can bridge air-gaps or bypass perimeter defenses, rapidly infecting multiple workstations. The payload includes clipboard hijacking functionality—silently swapping wallet addresses during copy-paste operations—facilitating undetected fund theft.

Technical Analysis

Attack Vector: Removable Media (USB) Mechanism: Malicious Windows Shortcut (.lnk) files C2 Infrastructure: Tor Network Objective: Cryptocurrency Theft via Clipboard Manipulation

The Attack Chain

  1. Initial Access: The victim inserts a USB drive containing the worm. The drive likely appears legitimate due to social engineering (e.g., labeled "Payroll" or "Q1_Results").
  2. Execution: Upon accessing the drive, Windows renders the .lnk file. The attackers have weaponized the shortcut to execute a command (typically via PowerShell or CMD) pointing to a malicious payload stored on the USB drive or downloaded from a remote server.
  3. Persistence & Propagation: The malware copies itself to the new host and infects any newly inserted USB drives, repeating the cycle.
  4. Data Exfiltration & C2: The malware establishes a connection to the Tor network. This allows the threat actor to communicate with the infected endpoint anonymously, bypassing standard IP-based blocking and egress filtering.
  5. Payload (Clipboard Hijacking): The malware continuously monitors the system clipboard. When it detects a string resembling a cryptocurrency address (e.g., a long alphanumeric string matching Bitcoin or Ethereum regex patterns), it replaces the victim's address with the attacker's address before the transaction is confirmed.

Technical Observations

While this attack vector abuses the inherent design of Windows shortcuts—a technique dating back to the Stuxnet era—its integration with Tor for C2 and the specific focus on crypto-jacking reflects a modern, financially motivated adaptation. The use of Tor makes network-based detection significantly harder, as the traffic appears as standard encrypted web browsing to a firewall, albeit destined for known Tor guard nodes or exit nodes.

Detection & Response

Detecting this threat requires a multi-layered approach focusing on process lineage originating from removable storage and anomalous network traffic patterns.

Sigma Rules

The following Sigma rules target the execution of suspicious commands via shortcut files and the use of Tor network connections from non-browser applications.

YAML
---
title: Suspicious Process Execution via LNK File on Removable Drive
id: 8c7d9a12-3b4e-4a1c-9d5f-6e7f8a9b0c1d
status: experimental
description: Detects execution of suspicious processes (cmd, powershell, wscript) initiated by a Windows Shortcut file (.lnk), often indicative of USB-based worm propagation.
references:
 - https://attack.mitre.org/techniques/T1091/
 - https://attack.mitre.org/techniques/T1204/
author: Security Arsenal
date: 2026/04/06
tags:
 - attack.initial_access
 - attack.t1091
 - attack.execution
 - attack.t1204.002
logsource:
  category: process_creation
  product: windows
detection:
  selection_img:
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
      - '\wscript.exe'
      - '\cscript.exe'
  selection_cli:
    CommandLine|contains: '.lnk'
  selection_parent:
    ParentImage|endswith: '\explorer.exe'
  condition: all of selection_
falsepositives:
  - Legitimate administrative scripts launched from desktop shortcuts
level: high
---
title: Tor Network Connection from Non-Browser Process
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects non-browser processes establishing connections to the Tor network. This is a strong indicator of malware C2 activity, such as the USB crypto-stealer.
references:
 - https://attack.mitre.org/techniques/T1573/
author: Security Arsenal
date: 2026/04/06
tags:
 - attack.command_and_control
 - attack.t1573
logsource:
  category: network_connection
  product: windows
detection:
  selection_ports:
    DestinationPort:
      - 9050
      - 9051
      - 9150
      - 9151
  filter_browsers:
    Image|contains:
      - '\chrome.exe'
      - '\firefox.exe'
      - '\msedge.exe'
      - '\opera.exe'
  condition: selection_ports and not filter_browsers
falsepositives:
  - Legitimate Tor Browser usage (if using custom paths)
  - Other privacy tools relying on Tor
level: high

KQL (Microsoft Sentinel / Defender)

Use this KQL query to hunt for processes spawned from removable media (DriveType 2) that result in PowerShell or CMD execution. This hunt correlates process creation events with volume information.

KQL — Microsoft Sentinel / Defender
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName == "explorer.exe"
| where FileName in ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe")
| extend DriveLetter = substring(ProcessCommandLine, 0, 2)
| join kind=inner (DeviceEvents
    | where ActionType == "Mount"
    | where AdditionalFields contains "Removable"
    | project DeviceId, DriveLetter = extract(@"[A-Za-z]:", 0, AdditionalFields)
    | distinct DriveLetter) on DriveLetter
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, DriveLetter
| order by Timestamp desc

Velociraptor VQL

This Velociraptor artifact hunts for .lnk files on non-C drives (common for USB volumes) and checks for active Tor network connections.

VQL — Velociraptor
-- Hunt for suspicious LNK files on non-system drives and active Tor connections
LET suspicious_lnk_files = SELECT FullPath, Mtime
FROM glob(globs='/**/*.lnk')
WHERE NOT FullPath =~ '^C:\\'
  AND Mtime > now() - 30 * 86400
  -- Look for LNKs recently modified (last 30 days)

SELECT FullPath, Mtime AS ModificationTime
FROM suspicious_lnk_files

-- Check for Tor network connections
SELECT Pid, ProcessName, RemoteAddress, RemotePort
FROM netstat()
WHERE RemotePort IN (9050, 9051, 9150, 9151)
  AND ProcessName NOT IN ("firefox.exe", "chrome.exe", "msedge.exe", "tor.exe")

Remediation Script (PowerShell)

This script disables the Autorun functionality (a common vector for LNK execution) and enumerates connected USB devices for forensic review. To fully remediate, a block on Tor IPs is recommended at the firewall level.

PowerShell
# Remediation: Disable Autorun and Audit USB Devices

# 1. Disable Autorun on all drives (NoAutoRun)
$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer"
if (!(Test-Path $registryPath)) {
    New-Item -Path $registryPath -Force | Out-Null
}
Set-ItemProperty -Path $registryPath -Name "NoDriveTypeAutoRun" -Value 0xFF -Type DWord
Write-Host "[+] Autorun disabled for all drives."

# 2. Disable USB Storage (Optional - requires policy change)
# Uncomment the lines below to block USB storage completely.
# $usbPath = "HKLM:\SYSTEM\CurrentControlSet\Services\USBSTOR"
# Set-ItemProperty -Path $usbPath -Name "Start" -Value 4 -Type DWord
# Write-Host "[+] USB Storage disabled."

# 3. Identify currently connected USB Mass Storage Devices
Write-Host "[*] Currently connected USB devices:"
Get-WmiObject Win32_Volume | Where-Object { $_.DriveType -eq 2 -and $_.DriveLetter } | 
    Select-Object DriveLetter, Label, Name, @{Name="Capacity(GB)";Expression={[math]::Round($_.Capacity/1GB, 2)}}

Write-Host "[!] Review the above devices. Manually scan non-corporate devices."

Remediation

  1. Patch & Harden: Ensure Windows systems are fully patched. While the LNK functionality itself is a feature, Microsoft frequently releases updates to harden the parsing of these files against known exploits.
  2. Restrict USB Access: Implement Group Policy Objects (GPO) to deny write access to removable storage, or completely deny read access for endpoints that do not require it (e.g., developer workstations, air-gapped systems).
    • GPO Path: Computer Configuration -> Administrative Templates -> System -> Removable Storage Access.
  3. Network Segmentation: Block Tor traffic at the egress firewall. While this may impact privacy needs, it is a critical control for preventing C2 communication for malware families relying on Tor. Block known Tor Guard/Entry node IP lists.
  4. Application Whitelisting: Use AppLocker or Windows Defender Application Control (WDAC) to restrict execution to signed binaries and specific directories. This prevents the execution of unauthorized scripts from the Recycler or root of a USB drive.
  5. User Education: Reinforce the "No Unknown USB" policy. Physical security is cybersecurity; picking up a dropped drive can compromise the entire network.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub

incident-responseransomwarebreach-responseforensicsdfirusb-wormcrypto-malwarewindows-shortcuts

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.