Microsoft Threat Intelligence has warned of a Windows-based crypto clipper campaign that has affected users since February 2026. Summary Microsoft says CryptoBandits uses Tor-routed communication, wallet replacement, screenshots, and remote code execution on Windows. The malware spreads through malicious shortcut files and creates more infected shortcuts from legitimate files. Security teams should hunt linked behaviors, not isolated alerts, to catch this attack chain early. In a Microsoft blog, researchers said the malware steals clipboard data, replaces wallet addresses, and searches for valuable crypto information. The company said Microsoft Defender Antivirus detects the threat as Trojan:Win32/CryptoBandits.A. In an X post, Microsoft said the campaign combines clipboard theft, wallet address replacement, worm-like behavior, and Tor-based communication. Malware spreads through shortcut files Microsoft said the attack starts with malicious .lnk shortcut files. These files can arrive through USB storage devices and launch a worm component on infected Windows systems. Once active, the malware creates more malicious shortcuts from legitimate files found on the device. Since February 2026, Microsoft Defender Experts have tracked a cryptocurrency clipper campaign that combines clipboard theft, wallet address replacement, worm-like functionality, and Tor-based communications, enabling both financial gain and continued access to devices.…— Microsoft Threat Intelligence (@MsftSecIntel) June 17, 2026 The worm also sets up scheduled tasks for persistence. This allows the malware to keep running after restart and gives attackers a longer window to monitor the device. Microsoft said the threat uses script-based tools rather than a large installer, making simple file-based detection harder. Tor hides command traffic The clipper deploys a portable Tor client and routes traffic through a local SOCKS5 proxy. Microsoft said the malware uses localhost:9050 and .onion command-and-control domains to reduce normal DNS visibility and make blocking harder. The malware checks the clipboard about every 500 milliseconds. It looks for seed phrases, private keys, and crypto wallet addresses. If it finds a wallet address, it can replace it with an attacker-controlled address. If it finds a seed phrase or private key, it can send the data through Tor. Backdoor features raise risk Microsoft said the campaign goes beyond basic wallet address switching. The malware can upload screenshots, contact a hidden command server, and run attacker-supplied code through an EVAL command. That turns a crypto stealer into a lightweight backdoor. The company said, “defenders should hunt for correlated behaviors rather than investigate isolated events.” It advised teams to watch for script engines launching curl, cmd.exe, PowerShell, or unexpected files, especially when paired with localhost:9050 traffic. Crypto users remain frequent targets As crypto.news reported earlier, StilachiRAT also targeted crypto wallets and monitored clipboard activity. That Microsoft-linked warning covered malware that could scan browser wallets and extract stored data. According to an earlier crypto.news report, SparkCat malware used image scanning to search for wallet seed phrases in screenshots. crypto.news previously reported that Binance warned about clipper malware that replaced copied wallet addresses with attacker-controlled ones. The new Microsoft report shows that clipper malware is becoming more layered. It no longer only waits for users to copy a wallet address. It can spread, hide traffic through Tor, steal wallet data, capture screens, and keep access to the system.
