Microsoft said a new malware strain has been spreading through infected USB sticks since February, targeting Windows PCs and crypto wallets. Microsoft identifies it as Trojan:Win32/CryptoBandits and describes it as a crypto clipper with worm-like behavior. The attack starts with a malicious .lnk shortcut on a USB drive; once opened, the malware installs itself and runs in the background, monitoring the clipboard for seed phrases, private keys and recipient addresses, exfiltrating data over Tor and silently swapping in attacker-controlled wallet addresses (BTC, TRON, XMR). Microsoft recommends disabling AutoRun, blocking .lnk execution on USB media, and restricting script hosts (wscript.exe / cscript.exe).