Microsoft Threat Intelligence and Microsoft Defender Experts have reportedly discovered a Windows-based cryptocurrency clipper, believed to be active since February 2026. Microsoft experts detected the malware as Trojan:Win32/CryptoBandits.A, (CryptoBandits malware), and probing further, they found that it monitors computer clipboards to steal financial data and give hackers remote control over infected systems.
How the Attack Spreads
The malware has a dual-component program, which means it combines a worm component for spreading with a stealer component for targeting financial data. The infection starts via USB flash drives containing malicious shortcut (.lnk) files. Clicking the shortcut launches a hidden worm instead of a document.
This worm hides the original files on the USB drive and creates matching malicious shortcuts to trick more users. To evade detection, it configures Windows Defender exclusions to bypass scanning on its setup folders. It then drops its main files (including two hidden JavaScript files) into a folder under C:UsersPublicDocuments, and finally sets up automatic background tasks to keep running and infect any new USB drives plugged into the computer.
Clipboard Theft and Methods
A notable finding is that the clipper component doesn’t rely on traditional installers. It uses standard built-in Windows script tools (WScript and ActiveXObject) to interact directly with the OS. This helps it run quietly in the computer’s memory and scan the clipboard every 500 milliseconds to detect private cryptocurrency keys and 12 or 24-word backup seed phrases.
As soon as a user copies a crypto wallet address, it replaces it with the attacker’s address. Researchers noted that the malware’s swapping system targets specific wallet formats, including:
- Monero (starts with 4 or 8): Replaced with a single fixed address.
- Tron (starts with T) is replaced by matching the first two characters.
- Bitcoin Taproot (starts with bc1p) and Bech32 (starts with bc1q) are replaced by matching the last character.
- Bitcoin Legacy (starts with 1) and P2SH (starts with 3) get replaced with an address matching the first two characters.
The program also takes five screenshots, ten seconds apart, to let the hackers view the victim’s wallet balances.
How it Avoids Detection
The clipper shuts itself down if Task Manager (taskmgr.exe) is running to evade detection. It bundles a built-in Tor privacy tool (ugate.exe) for network communication and a local IP address (127.0.0.1) on port 9050 for routing traffic. This mechanism helps it hide its final destination. A tool called curl is used to send data to a .onion website.
“The bundled Tor client is central to the operation. By routing communication over localhost:9050 and resolving “.onion” destination domains inside Tor, the malware reduces DNS visibility, obscures the final C2 destination, and complicates destination-based blocking. This design gives the operator anonymity benefits while keeping the malware compact and self-contained,” researchers explained in the blog post.
It is also worth noting that the data is sent via three specific endpoints: /route.php to get commands, /recvf.php to upload screenshots, and /stub.php to download files. An EVAL command from the server runs new code hidden in a local file named cfile, granting attackers permanent remote control.
To protect systems, Microsoft advises disabling AutoPlay for removable media, blocking .lnk execution from USBs, and double-checking wallet addresses before transactions.
