Microsoft Threat Intelligence has issued a warning about a sophisticated crypto-clipper malware campaign, tracked as CryptoBandits, that has been active since February 2026. The malware combines clipboard theft, wallet address replacement, worm-like propagation, and Tor-based communications, and now includes backdoor features that allow attackers to maintain long-term access to infected Windows systems.
The attack begins with malicious .lnk shortcut files, commonly delivered via USB storage devices. Once executed, a worm component launches and creates additional malicious shortcuts from legitimate files on the machine, while also setting up scheduled tasks for persistence. This ensures the malware survives reboots and gives attackers extended surveillance capability.
To evade detection, the threat deploys a portable Tor client and routes command traffic through a local SOCKS5 proxy on localhost:9050, connecting to .onion domains. This method hides DNS lookups and complicates blocking. The clipper continuously scans the clipboard every 500 milliseconds, searching for seed phrases, private keys, and wallet addresses. When a wallet address is found, it replaces it with an attacker-controlled address; if seed phrases or keys are detected, they are exfiltrated via Tor.
Microsoft highlighted that the malware goes beyond simple clipping by offering backdoor functionality—it can capture screenshots and execute attacker-supplied code through an EVAL command, effectively turning it into a remote access tool. This layered approach raises the risk significantly, allowing operators not only to steal funds but also to spy on victims and deploy additional payloads.
Microsoft advises defenders to hunt for correlated behaviors, such as unexpected script engine launches, curl or PowerShell activity, and traffic to localhost:9050, rather than focusing on isolated alerts. The malware is detected by Microsoft Defender Antivirus as Trojan:Win32/CryptoBandits.A. Earlier threats like StilachiRAT and SparkCat also targeted crypto wallets, but CryptoBandits’ worm-like spread, Tor cloaking, and backdoor capabilities represent a dangerous evolution in crypto-targeting malware.
