Microsoft Threat Intelligence has detailed a Windows malware campaign tracked as Trojan:Win32/CryptoBandits.A, describing a clipper that spreads through removable drives, monitors clipboard activity, and swaps cryptocurrency addresses before victims send funds. The malware targets one of the most common habits in crypto: copying and pasting wallet addresses, replacing legitimate destination addresses with attacker-controlled ones. This campaign represents a crypto-specific theft method that exploits trust in USB drives and routine transaction workflows.
CryptoBandits Malware Monitors Clipboard and Swaps Crypto Addresses
The malware watches the clipboard and replaces copied wallet addresses with attacker-controlled addresses. Microsoft's report says the CryptoBandits campaign uses high-frequency clipboard monitoring and can also look for sensitive crypto material such as private keys or seed phrases. Users copy a legitimate destination address, but the malware intercepts and replaces that address before the victim pastes it into a transaction. Blockchain transfers are difficult or impossible to reverse, and victims may only realize what happened after checking the transaction record.
Malware Spreads Through USB Drives Using Malicious Shortcuts
Microsoft says the malware can spread through removable drives by hiding real documents and replacing them with malicious shortcut files that use familiar document names. A user opens what looks like a normal PDF, spreadsheet, or document from a USB drive, but the shortcut executes malicious code instead. The campaign also uses Tor infrastructure for command-and-control traffic, according to Microsoft. By routing communication through hidden services, attackers can make the malware harder to disrupt and more difficult for traditional network defenses to inspect.
Microsoft Recommends Address Verification Before Sending Funds
Microsoft's guidance includes checking the first and last characters of the destination address before sending funds. For larger transfers, users should use a hardware wallet or wallet screen that shows the address independently of the infected computer. Users should also avoid opening files from unknown USB drives, keep Windows security tools updated, and treat shortcuts on removable storage with suspicion. If a drive suddenly shows familiar files as shortcut links, that is a warning sign. This campaign is Windows-focused and targets crypto users who rely on copy-paste workflows for transaction addresses.
FAQ
What does the CryptoBandits malware do to crypto wallet addresses?
The malware monitors clipboard activity and replaces copied cryptocurrency wallet addresses with attacker-controlled addresses before victims paste them into transactions. Microsoft says it uses high-frequency clipboard monitoring and can also search for private keys or seed phrases.
How does CryptoBandits spread to other computers?
Microsoft reports that the malware spreads through removable USB drives by hiding real documents and replacing them with malicious shortcut files that use familiar document names. When a user opens what appears to be a normal file from a USB drive, the shortcut executes malicious code instead.
