Microsoft Uncovers CryptoBandits Malware Targeting Windows Systems via USB Drives
Microsoft Threat Intelligence and Defender Experts have identified a Windows-based cryptocurrency clipper, tracked as Trojan:Win32/CryptoBandits.A (CryptoBandits), active since at least February 2026. The malware operates by monitoring clipboard activity to steal cryptocurrency wallet addresses and seed phrases, while also granting attackers remote control over infected systems.
The attack spreads through malicious USB flash drives containing disguised shortcut (.lnk) files. When clicked, these files execute a hidden worm that replaces legitimate files on the drive with identical-looking shortcuts to propagate further. To evade detection, the malware configures Windows Defender exclusions for its setup folders and deploys hidden JavaScript files in C:\Users\Public\Documents, establishing persistence via scheduled tasks.
The clipper component scans the clipboard every 500 milliseconds, replacing copied cryptocurrency addresses with attacker-controlled ones. It targets specific wallet formats, including Monero, Tron, Bitcoin (Taproot, Bech32, Legacy, and P2SH), using pattern-matching techniques to swap addresses seamlessly. Additionally, the malware captures five screenshots at 10-second intervals to monitor wallet balances.
To avoid detection, CryptoBandits terminates if Task Manager is active and uses a bundled Tor client (ugate.exe) to route traffic through localhost (127.0.0.1:9050), obscuring command-and-control (C2) communications. Data is exfiltrated via three .onion endpoints /route.php (commands), /recvf.php (screenshots), and /stub.php (file downloads) while an EVAL command enables dynamic code execution from a local file (cfile), ensuring persistent remote access.
Microsoft’s findings highlight the malware’s reliance on built-in Windows tools (WScript, ActiveXObject) and self-contained Tor integration to maintain stealth and operational anonymity.
Source: https://hackread.com/cryptobandits-malware-usb-drives-tor-steal-crypto/
Microsoft Threat Intelligence cybersecurity rating report: https://www.rankiteo.com/company/microsoft-threat-intelligence
"id": "MIC1782217449",
"linkid": "microsoft-threat-intelligence",
"type": "Cyber Attack",
"date": "2/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'type': 'Individuals/Organizations using Windows '
'systems'}],
'attack_vector': 'Malicious USB flash drives (shortcut .lnk files)',
'data_breach': {'data_exfiltration': True,
'file_types_exposed': ['Screenshots', 'Clipboard data'],
'personally_identifiable_information': 'Cryptocurrency wallet '
'addresses, seed '
'phrases',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Cryptocurrency wallet addresses',
'Seed phrases',
'Screenshots of wallet '
'balances']},
'date_detected': '2026-02',
'description': 'Microsoft Threat Intelligence and Defender Experts have '
'identified a Windows-based cryptocurrency clipper, tracked as '
'Trojan:Win32/CryptoBandits.A (CryptoBandits), active since at '
'least February 2026. The malware operates by monitoring '
'clipboard activity to steal cryptocurrency wallet addresses '
'and seed phrases, while also granting attackers remote '
'control over infected systems. The attack spreads through '
'malicious USB flash drives containing disguised shortcut '
'(.lnk) files. When clicked, these files execute a hidden worm '
'that replaces legitimate files on the drive with '
'identical-looking shortcuts to propagate further. The clipper '
'component scans the clipboard every 500 milliseconds, '
'replacing copied cryptocurrency addresses with '
'attacker-controlled ones. It targets specific wallet formats, '
'including Monero, Tron, Bitcoin (Taproot, Bech32, Legacy, and '
'P2SH). Additionally, the malware captures five screenshots at '
'10-second intervals to monitor wallet balances. To evade '
'detection, CryptoBandits terminates if Task Manager is active '
'and uses a bundled Tor client to route traffic through '
'localhost, obscuring command-and-control communications.',
'impact': {'data_compromised': 'Cryptocurrency wallet addresses, seed '
'phrases, screenshots of wallet balances',
'identity_theft_risk': 'High (seed phrases and wallet addresses '
'compromised)',
'operational_impact': 'Remote control of infected systems, '
'clipboard monitoring, data exfiltration',
'payment_information_risk': 'High (cryptocurrency theft)',
'systems_affected': 'Windows systems'},
'initial_access_broker': {'backdoors_established': 'Scheduled tasks, hidden '
'JavaScript files',
'entry_point': 'Malicious USB drives (shortcut .lnk '
'files)',
'high_value_targets': 'Cryptocurrency users'},
'investigation_status': 'Ongoing',
'motivation': 'Financial gain (cryptocurrency theft)',
'post_incident_analysis': {'root_causes': 'Use of malicious USB drives, lack '
'of USB device control, clipboard '
'monitoring vulnerabilities'},
'references': [{'source': 'Microsoft Threat Intelligence'}],
'response': {'third_party_assistance': 'Microsoft Threat Intelligence and '
'Defender Experts'},
'title': 'Microsoft Uncovers CryptoBandits Malware Targeting Windows Systems '
'via USB Drives',
'type': 'Malware (Cryptocurrency Clipper)'}