Overview
- Microsoft published technical details and indicators this week about a malware family it calls Trojan:Win32/CryptoBandits that has been active since February 2026.
- The campaign spreads through malicious .lnk shortcut files on USB drives that hide real documents and create look‑alike shortcuts to install a self‑propagating worm.
- Once installed the malware checks the clipboard about every 500 milliseconds for seed phrases, private keys and wallet addresses and can replace copied addresses with attacker‑controlled ones.
- The threat bundles a portable Tor client, opens a local SOCKS5 proxy on localhost:9050 to reach .onion C2 servers, exfiltrates screenshots and supports remote code execution via an EVAL command.
- Microsoft and exchanges circulated IOCs and advised defenses such as disabling AutoRun, blocking .lnk execution from removable media, restricting wscript/cscript, using hardware wallets and hunting for behavior signals rather than relying on signatures.