New CryptoBandits Malware Uses USB Drives and Tor to Steal Crypto

Summary

Microsoft Threat Intelligence identified a new Windows-based cryptocurrency clipper called CryptoBandits (Trojan:Win32/CryptoBandits.A) active since February 2026. The malware spreads through USB devices via malicious shortcut files, monitors clipboard activity to intercept cryptocurrency wallet addresses and seed phrases, and replaces them with attacker-controlled addresses before transactions. It uses a bundled Tor client routed through localhost:9050 to communicate with C2 servers via .onion endpoints while evading detection by disabling itself when Task Manager is running.

Full text

Security Crypto MalwareNew CryptoBandits Malware Uses USB Drives and Tor to Steal Crypto Microsoft researchers warn of a new dual-action cryptocurrency clipper (CryptoBandits Malware) spreading through USB devices to alter wallet addresses and steal crypto assets. byDeeba AhmedJune 23, 20263 minute read Listen to this article 0:00 — ← 10s ▶ Play 10s → Speed 0.75× 1× 1.25× 1.5× 2× Voice Loading voices… Press play to start listening Microsoft Threat Intelligence and Microsoft Defender Experts have reportedly discovered a Windows-based cryptocurrency clipper, believed to be active since February 2026. Microsoft experts detected the malware as Trojan:Win32/CryptoBandits.A, (CryptoBandits malware), and probing further, they found that it monitors computer clipboards to steal financial data and give hackers remote control over infected systems. How the Attack Spreads The malware has a dual-component program, which means it combines a worm component for spreading with a stealer component for targeting financial data. The infection starts via USB flash drives containing malicious shortcut (.lnk) files. Clicking the shortcut launches a hidden worm instead of a document. This worm hides the original files on the USB drive and creates matching malicious shortcuts to trick more users. To evade detection, it configures Windows Defender exclusions to bypass scanning on its setup folders. It then drops its main files (including two hidden JavaScript files) into a folder under C:\Users\Public\Documents, and finally sets up automatic background tasks to keep running and infect any new USB drives plugged into the computer. Clipboard Theft and Methods A notable finding is that the clipper component doesn’t rely on traditional installers. It uses standard built-in Windows script tools (WScript and ActiveXObject) to interact directly with the OS. This helps it run quietly in the computer’s memory and scan the clipboard every 500 milliseconds to detect private cryptocurrency keys and 12 or 24-word backup seed phrases. As soon as a user copies a crypto wallet address, it replaces it with the attacker’s address. Researchers noted that the malware’s swapping system targets specific wallet formats, including: Monero (starts with 4 or 8): Replaced with a single fixed address. Tron (starts with T) is replaced by matching the first two characters. Bitcoin Taproot (starts with bc1p) and Bech32 (starts with bc1q) are replaced by matching the last character. Bitcoin Legacy (starts with 1) and P2SH (starts with 3) get replaced with an address matching the first two characters. The program also takes five screenshots, ten seconds apart, to let the hackers view the victim’s wallet balances. Attack flow (Source: Microsoft) How it Avoids Detection The clipper shuts itself down if Task Manager (taskmgr.exe) is running to evade detection. It bundles a built-in Tor privacy tool (ugate.exe) for network communication and a local IP address (127.0.0.1) on port 9050 for routing traffic. This mechanism helps it hide its final destination. A tool called curl is used to send data to a .onion website. “The bundled Tor client is central to the operation. By routing communication over localhost:9050 and resolving “.onion” destination domains inside Tor, the malware reduces DNS visibility, obscures the final C2 destination, and complicates destination-based blocking. This design gives the operator anonymity benefits while keeping the malware compact and self-contained,” researchers explained in the blog post. It is also worth noting that the data is sent via three specific endpoints: /route.php to get commands, /recvf.php to upload screenshots, and /stub.php to download files. An EVAL command from the server runs new code hidden in a local file named cfile, granting attackers permanent remote control. To protect systems, Microsoft advises disabling AutoPlay for removable media, blocking .lnk execution from USBs, and double-checking wallet addresses before transactions. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts ClipperCryptoCybersecurityMalwareMicrosoftTorUSB Leave a Reply Cancel reply View Comments (0) Related Posts Security Crypto Malware New PyPI Malware Poses as Crypto Wallet Tools to Steal Private Keys Checkmarx researchers discovered PyPI malware posing as crypto wallet tools. These malicious packages stole private keys and recovery… byWaqas Security Malware Fake govt COVID-19 contact tracking app spreads Android ransomware Another day, another fake COVID-19 contact tracing app spreading malware... bySudais Asif News Security Russian Hackers Eager to Bypass OpenAI’s Restrictions to Abuse ChatGPT One of the threat actors inquired about the ideal way to use a stolen payment card to purchase an upgraded user on OpenAI. byWaqas Read More Cyber Crime Security Feds Seize VerifTools.Net, Operators Relaunch with VerifTools.com Authorities in the United States and the Netherlands have seized VerifTools, a marketplace selling fake IDs for cybercrime.… byDeeba Ahmed

Indicators of Compromise

• malware — CryptoBandits
• malware — Trojan:Win32/CryptoBandits.A

Entities