Microsoft researchers have pulled back the curtain on a cryptocurrency-stealing operation that started in February 2026. The campaign deploys a Windows clipper that spreads like a worm through removable media. It swaps wallet addresses in the clipboard. Then it phones home using a portable Tor client.
Call it CryptoBandits. Microsoft Defender labels it Trojan:Win32/CryptoBandits.A. The malware does more than snatch a few transaction details. It turns a basic financial theft tool into a persistent backdoor. And it does so without exposing any public IP addresses.
USB Propagation Meets Hidden Command Infrastructure
Everything begins with a malicious .lnk file placed on a USB drive. Victims insert the drive. They double-click what looks like a document. The shortcut triggers a worm component. That worm first checks whether the machine already carries the infection. If not, it reaches out for the full payload.
Once installed, the worm scans the USB for common office files. It hides the originals. It creates new shortcuts with identical names. Those new links point back to the malicious code. Plug the drive into another computer and the cycle repeats. Microsoft calls this worm-like propagation. Security teams have seen similar tactics before. Yet this version adds scheduled tasks for staying power on both the worm and the stealer modules.
The clipper itself leans on Windows Script Host and ActiveX objects. It refuses to run if Task Manager appears in the process list. A simple evasion. But effective against casual inspection. Then it launches a renamed Tor binary in a hidden window. The malware generates a unique victim ID. It registers that ID with the hidden-service command server. From that point the loop begins.
Clipboard checks happen every 500 milliseconds. The code hunts for Bitcoin, Ethereum, Tron and Monero addresses. It looks for BIP39 seed phrases of 12 or 24 words. It grabs Bitcoin and Ethereum private keys in WIF format. Any match gets replaced with an attacker-controlled address crafted to look similar enough to fool a hurried glance. Five screenshots every ten seconds. All of it routed through a local SOCKS5 proxy on port 9050.
“The clipper in this campaign relies on Windows Script Host and ActiveX-driven logic to launch a bundled Tor proxy and poll a hidden-service C2 server,” the Microsoft Defender Security Research Team wrote in its analysis published June 17. “It carries out high-frequency clipboard theft, screenshot exfiltration, and wallet-address substitution.”
The researchers emphasize one point. This clipper skips traditional installers. It avoids cleartext IP-based servers. Portable Tor. Local proxy. Data theft mixed with remote code execution. The result feels less like a simple stealer and more like a lightweight backdoor. If the C2 sends an EVAL command, the malware writes JavaScript to a file called “cfile” and runs it through WScript. Attackers can push fresh instructions at will.
SecurityAffairs picked up the same details hours after the Microsoft post. It noted that all components arrive encrypted and decrypt only at runtime. The code sits inside PyArmor-obfuscated Python packaged with PyInstaller. That layering makes static analysis harder.
Crypto.news reported the campaign under the name CryptoBandits as well. It highlighted how the malware now behaves like a backdoor while still focusing on wallet replacement and seed-phrase theft. The outlet quoted Microsoft’s observation that the combination of clipboard monitoring, screenshot capture and remote execution raises the threat level. Its story appeared the same day as the original disclosure.
Defenders face a shift. Signature-based detection alone won’t cut it. Microsoft urges behavioral monitoring instead. Watch for wscript.exe or cscript.exe spawning unusual children. Look for processes connecting to localhost on port 9050. Flag PowerShell commands that capture screens. These patterns matter more than any hash.
Practical steps follow naturally. Disable AutoRun and AutoPlay for removable media. Block .lnk files from executing directly from USB drives through Group Policy. Limit unnecessary use of script hosts. Organizations that move sensitive financial data should review clipboard activity and screen-capture behavior on those endpoints. Simple. Yet often overlooked.
The campaign has run for months. Microsoft first spotted infections in February. By mid-June the details were ready for public release. No victim counts surfaced in the reports. The focus stays on technique. USB distribution targets users who share drives. Corporate environments. Home offices. Anywhere removable media changes hands.
Attackers clearly studied operational security. Tor hides the C2. Runtime decryption defeats many scanners. Anti-analysis checks slow reverse engineers. The worm ensures the malware travels further without extra effort. And the remote code capability means the implant can grow beyond its original clipper mission.
But not every defense requires new tools. Manual address verification still stops most clipboard swaps. Hardware wallets keep seed phrases offline. Updated endpoint protection catches the known detection name. Combine those habits with the behavioral alerts Microsoft outlined and the risk drops sharply.
Researchers continue to watch. New variants could tweak the polling interval or alter the screenshot cadence. The Tor infrastructure might migrate to fresh onion addresses. Yet the core idea persists. Turn everyday copy-and-paste habits into silent theft. Do it across USB drives that employees trust. Hide the control channel where firewalls rarely look.
Enterprises that handle cryptocurrency transactions now have fresh homework. Map where USB drives enter the environment. Tune detection rules for the script hosts and proxy connections. Train staff to double-check every pasted address. The malware won’t announce itself. It simply waits for the next copy operation.
Microsoft’s disclosure arrives at a moment when crypto theft tactics keep evolving. Clipper families have existed for years. This one stands out for its worm component, its bundled anonymity network and its backdoor potential. Security teams that absorb the indicators today will spend less time chasing incidents tomorrow.
WebProNews is an iEntry Publication