Overview
- Microsoft disclosed this week that it has tracked a Windows crypto-clipper campaign since February 2026 that spreads via malicious .lnk shortcut files on USB drives and installs a worm component for persistence.
- The malware bundles a portable Tor client and routes C2 through a local SOCKS5 proxy on localhost:9050 to reach .onion servers, which reduces normal DNS and IP visibility.
- The stealer polls the clipboard roughly every 500 milliseconds to capture 12‑ and 24‑word BIP39 seed phrases, private keys, and many wallet address formats and substitutes copied addresses with attacker-controlled ones.
- Beyond clipboard theft, the threat takes frequent screenshots sent over Tor and supports an EVAL-style command from the C2 that lets operators execute JavaScript on victims’ machines, giving it lightweight backdoor abilities.
- Microsoft flags the campaign as Trojan:Win32/CryptoBandits.A and urges defenders to hunt behavioral signs such as WScript/CScript spawning unexpected processes, localhost:9050 Tor proxy activity, screen-capture commands, and to block LNK execution from removable media and disable AutoRun.