Microsoft Threat Intelligence and Microsoft Defender Experts reported on June 17 that a new malware strain has been infecting Windows devices since February 2026. The threat, a so-called 'clipper' now flagged by Microsoft Defender Antivirus as 'Trojan: Win32/CryptoBandits.A,' is designed to drain cryptocurrency from users by monitoring clipboard activity. The malware operates by watching the clipboard approximately every 500 milliseconds and silently swapping cryptocurrency wallet addresses with attacker-controlled addresses when users copy and paste transaction details. This clipboard-based attack method exploits the common practice of copying wallet addresses during cryptocurrency transactions, allowing attackers to redirect funds without the victim's knowledge.
Microsoft Identifies Malware Distribution Method
According to Microsoft's report, the campaign starts with malicious shortcut (.lnk) files distributed on USB storage drives. The malware bundles two components: a worm component that spreads itself and a stealer that harvests wallet data. The worm hides legitimate documents on a USB device and replaces them with disguised shortcuts, so a user opening what looks like a familiar file is actually launching the malware without realizing it.
The malware also hunts for seed phrases and private keys, which are the credentials that unlock crypto wallets. To maintain persistence, it runs in a concealed window, sets up scheduled tasks, and excludes its own files from Defender scanning. The malware checks whether Task Manager is open and shuts down if it is, an anti-analysis tactic meant to dodge anyone investigating the device.
CryptoBandits Uses Tor-Based Infrastructure
Microsoft states that CryptoBandits deploys a portable Tor client and routes traffic through a local proxy to reach a hidden command-and-control server. This design lets it blend data theft with remote code execution, transforming a money-grabbing stealer into a lightweight backdoor that can run further attacker commands. The Tor-based infrastructure allows the malware to maintain stealthy communication channels without relying on traditional installers or exposed servers.
FAQ
What is the CryptoBandits malware that Microsoft discovered?
CryptoBandits, flagged by Microsoft Defender Antivirus as 'Trojan: Win32/CryptoBandits.A,' is a malware strain that monitors clipboard activity approximately every 500 milliseconds and swaps cryptocurrency wallet addresses with attacker-controlled addresses. Microsoft Threat Intelligence and Microsoft Defender Experts reported on June 17 that it has been infecting Windows devices since February 2026.
How does the CryptoBandits malware spread to devices?
According to Microsoft's report, the malware spreads via malicious shortcut (.lnk) files distributed on USB storage drives. The worm component hides legitimate documents on USB devices and replaces them with disguised shortcuts that launch the malware when users open what appears to be a familiar file.
What infrastructure does CryptoBandits use to communicate?
Microsoft states that CryptoBandits deploys a portable Tor client and routes traffic through a local proxy to reach a hidden command-and-control server. This Tor-based infrastructure allows the malware to maintain stealthy communication channels and execute remote commands.
