Microsoft has uncovered a sophisticated, cryptocurrency-stealing malware campaign that has been actively targeting Windows users since February 2026. Distributed through infected USB drives and malicious shortcut files, the malware allows attackers to steal wallet data, take screenshots, and replace copied crypto wallet addresses with their own.
According to Microsoft threat intelligence researchers, the operation relies on the Tor network to obfuscate its communications and maintain persistent control over compromised devices. By blending clipboard theft, wallet address replacement, and worm-like propagation, the malware is exceptionally difficult to detect. Microsoft has urged security teams to focus on suspicious behavior rather than relying solely on known indicators of compromise.
Malware turns devices into crypto traps
In a blog post, Microsoft said the malware, tracked by Defender Antivirus as CryptoBandits, uses built-in Windows tools like Windows Script to operate in the background. It routes its command-and-control communications through the Tor network to help conceal its activity. Once installed, it continuously monitors a user’s clipboard for sensitive crypto-related information, including wallet addresses, private keys and recovery phrases.
The malware can also capture screenshots and send stolen data to attackers through Tor. In addition, it can receive remote commands, giving hackers ongoing access to infected devices.
According to Microsoft, the attack often begins with malicious shortcut files distributed through infected USB drives. These files can hide legitimate documents and replace them with fake shortcuts carrying the same names, increasing the chances that users will unknowingly trigger the malware.
Endpoint attacks continue to evolve
Microsoft advised security teams to watch for unusual script activity, unexpected clipboard changes and traffic linked to the Tor network, which the malware uses to communicate with attackers. The company also urged users to pay attention to unexplained screen-capture activity and other signs that a device may have been compromised.
The warning comes as cybercriminals target users’ devices rather than blockchain networks themselves. Laptops, web browsers and software development environments have become attractive entry points for attackers seeking access to digital assets.
Recent malware campaigns have followed a similar playbook. TrapDoor targeted cryptocurrency and AI developers, while StilachiRAT focused on browser-based wallets and clipboard monitoring. SparkCat, meanwhile, searched screenshots for crypto recovery phrases. Binance has also warned users about clipper malware that replaces copied wallet addresses with those controlled by attackers.
Users must verify their wallets before initiating transactions and refrain from using any unfamiliar USB device while making sure their security software is up-to-date. As per Microsoft, “suspicious activity monitoring” is considered one of the best ways to identify such threats before incurring any monetary damage.
Also Read: Ireland Targets Crypto Risks in New 30-Point Crime Action Plan
