Microsoft Threat Intelligence is sounding the alarm on a more dangerous breed of crypto clipper that’s been active on Windows systems since February 2026. The campaign — detected by Microsoft Defender Antivirus as Trojan:Win32/CryptoBandits.A — blends classic clipboard-theft behavior with worm-like spread, Tor-based communications and lightweight backdoor features, turning a simple address-swapping tool into a multi-capability threat.
What Microsoft found
- Infection vector: The attack begins with malicious .lnk shortcut files, often delivered via USB drives. When executed, these shortcuts launch a worm component that can create additional malicious shortcuts from legitimate files on the infected machine.
- Persistence and stealth: The malware creates scheduled tasks so it survives reboots, and it relies on script-based tools rather than a large installer, making detection by file-signature methods harder.
- Network obfuscation: A portable Tor client is deployed and traffic is routed through a local SOCKS5 proxy (localhost:9050) and .onion command-and-control domains to reduce DNS visibility and complicate blocking.
- Clipboard and theft behavior: The clipper polls the clipboard roughly every 500 milliseconds, scanning for seed phrases, private keys and wallet addresses. Found wallet addresses can be replaced with attacker-controlled addresses; seed phrases and private keys are exfiltrated over Tor.
- Expanded capabilities: Beyond address replacement, the malware can upload screenshots, contact hidden command servers and execute attacker-supplied code via an EVAL command — effectively enabling backdoor-style access.
Detection advice and hunting guidance
Microsoft urges defenders to focus on correlated behaviors rather than isolated events. Key indicators to watch for include:
- Script engines spawning curl, cmd.exe, PowerShell or unexpected binaries
- Localhost:9050 traffic or other signs of a local SOCKS5 proxy/Tor usage
- Newly created or altered .lnk files, especially from removable media
- Unexpected scheduled tasks or persistence mechanisms
- Signs of screenshot capture or remote code execution commands
Context: clipper malware is evolving
This campaign is part of a growing trend: clippers are no longer passive tools that simply swap a copied wallet address. Microsoft’s report follows prior crypto-related malware reports — including StilachiRAT’s clipboard monitoring and SparkCat’s image-scanning for seed phrases — and earlier warnings from exchanges about address-replacing clippers. The new report shows these families are becoming more layered: able to spread, hide communications through Tor, steal wallet data, capture screens and maintain long-term access.
Takeaway for crypto users and defenders
Treat clipboard-based threats seriously: verify addresses before sending funds, use hardware wallets where possible, and monitor endpoints for the behavioral indicators above. For security teams, prioritize behavior-based detection and hunt for the combination of script activity, local Tor usage, malicious .lnk creation and persistence mechanisms that Microsoft highlights.
Read more AI-generated news on: undefined/news
