Microsoft disclosed a USB worm campaign in June 2026 that spreads clipboard-stealing malware through Windows shortcut (LNK) files. The malware monitors clipboard contents for cryptocurrency wallet addresses and seed phrases, replaces them with attacker-controlled addresses, and captures screenshots every ten seconds. It propagates by copying itself to every USB drive connected to infected machines and creating malicious shortcuts that replace legitimate documents.
The attack is technically sophisticated — it uses Tor for C2 communication, supports remote code execution, and employs scheduled tasks to monitor for new removable drives. But it still depends on the same fundamental file operations every piece of malware requires: writing executables to disk, creating files, and copying payloads to removable media.
The Payload Has to Land Before Anything Else Happens
When the victim opens the LNK file from the USB drive, the malware attempts to write its payload to the local hard drive. Additional components are staged from a .ONION address. Once on disk, the malware scans for document files, hides the originals, and replaces them with malicious shortcuts. It creates a scheduled task to watch for USB devices and copies itself to each newly connected drive.
Every one of those steps is a file system operation: write, create, copy. Block the initial write and the rest of the attack chain collapses. No clipboard monitoring. No screenshot exfiltration. No worm propagation.
FileSure Defend operates at the Windows kernel level via a filter driver that intercepts file operations before they reach the file system. A rule targeting executable writes from USB-launched processes stops the payload at the delivery stage:
File name filter: *.exe;*.dll;*.vbs;*.js;*.lnk;*.bat;*.cmd;*.ps1
Program name filter: REMOVABLE MEDIA (blocks any program running from USB)
Operations: Write, Create
Drive type: Hard drives
Result: No executable payload launched from a USB device can write files to the local hard drive. The malware never lands, so encryption, exfiltration, and lateral movement never happen.
Preventing USB Propagation
Even if the initial payload somehow made it to disk, FileSure blocks the worm from copying itself back out to USB devices. A separate rule prevents bulk file writes to removable media:
File name filter: * (all files)
Program name filter: * (all programs, or exclude authorized backup tools)
Operations: Write, Create
Drive type: Removable drives
Threshold: 20 matches within 60 minutes (for alert-only mode)
Result: The worm cannot copy itself to newly connected USB drives. Mass file transfers to removable media trigger alerts or blocks.
Microsoft’s detection guidance recommends monitoring for wscript.exe, cscript.exe, unexpected curl and PowerShell activity, and connections to localhost:9050 (Tor proxy). That’s behavioral detection after the infection has occurred. It’s valuable for incident response, but it’s fundamentally reactive.
Blocking the file operation that delivers the payload is upstream of all of that. If the malware never writes to disk, there’s no process to monitor, no clipboard to hijack, no screenshots to exfiltrate.
Test It Yourself
FileSure Defend runs on Windows Server and Windows 10/11. Rules are configured centrally and enforced silently at the kernel level — no agent popups, no user prompts. You can deploy in alert-only mode first to see what would be blocked without disrupting operations.
Start a free 21-day trial at bystorm.com. Deploy the USB write blocking rule on a test machine, plug in a USB drive with a script payload, and watch the write attempt get blocked before it reaches the file system.
Source: USB worm spreads crypto-stealing malware via Windows shortcut files
Category: Threat Intelligence
Tags: usb worm, cryptocurrency malware, clipboard stealer, lnk files, removable media security, kernel filter driver, file system security, malware prevention
