Microsoft Threat Intelligence and Microsoft Defender Experts have reported a Windows-based crypto clipper malware campaign that has been targeting users since February 2026. The malware is particularly dangerous because it can steal clipboard data, capture seed phrases and private keys, take screenshots, and replace cryptocurrency wallet addresses copied by users.

The threat is detected by Microsoft Defender Antivirus as Trojan:Win32/CryptoBandits.A. For crypto users, this type of malware poses a significant risk, as it can redirect funds to attacker-controlled wallets if users fail to verify wallet addresses before confirming transactions.

Spreads Through .lnk Shortcuts and USB Devices

According to Microsoft, the malware spreads through malicious shortcut files with the .lnk extension, primarily via USB storage devices. These files are designed to appear as ordinary documents, making users unaware that they are executing a malicious payload.

Once opened, the malware deploys worm and stealer components on the Windows system. The worm component expands its reach by creating additional shortcuts from legitimate files found on the device. This allows the original files to be hidden while users only see shortcuts with familiar names.

Microsoft also noted that the malware can create scheduled tasks to maintain persistence. This means the malware can continue operating and stealing data even after the device is restarted.

Uses Tor, Windows Script Host, and ActiveX to Connect to C2 Servers

Technically, the malware does not rely on traditional installers or command-and-control (C2) servers with publicly exposed IP addresses. Instead, it launches a bundled Tor proxy and routes communications through a local SOCKS5 proxy.

According to Microsoft, the clipper uses Windows Script Host and ActiveX to execute its attack logic. It also launches a renamed Tor binary called ugate.exe, which connects to a hidden-service-based C2 server.

This approach makes the malware significantly harder to track because its communications do not point directly to conventional infrastructure. By leveraging the Tor network, attackers can conceal server locations while maintaining control over infected devices.

Additionally, the malware continuously monitors the clipboard. Microsoft reported that it scans clipboard contents approximately every 500 milliseconds, searching for high-value data such as seed phrases, private keys, and cryptocurrency wallet addresses.

Risk of Crypto Asset Drains and Transaction Hijacking

The primary danger posed by crypto clipper malware is transaction hijacking. When users copy a wallet address to send funds, the malware can replace the address with one controlled by the attacker before it is pasted into a wallet or exchange.

This threat is especially severe because crypto wallet addresses are long and difficult to verify manually. Users who only check the first or last few characters may fail to notice a malicious replacement address designed to look similar to the intended destination.

Beyond replacing wallet addresses, the malware can also steal 12-word or 24-word seed phrases and private keys. If attackers obtain this information, they may gain complete control over the wallet and drain assets without requiring any additional approval from the victim.

The malware is also capable of capturing screenshots, giving attackers valuable context about the victim's activities, including open wallet applications, exchange accounts, and other sensitive information displayed on the screen.

Crypto Users Should Strengthen Device Security

This incident serves as a reminder that crypto security depends not only on blockchains and smart contracts, but also on the security of the devices users rely on. Non-custodial wallets provide full ownership of assets, but they also increase responsibility if seed phrases, private keys, or devices become compromised.

To reduce risk, users should avoid opening files from unknown USB devices, always verify wallet addresses before sending funds, and use clean, trusted devices for high-value transactions. Seed phrases should never be stored digitally, including in clipboard history, computer notes, screenshots, or document files.

Additional mitigation measures include keeping operating systems and antivirus software up to date, disabling AutoRun and AutoPlay for removable media, and performing a full security scan if suspicious USB files have been opened. Organizations may also consider restricting the execution of .lnk files from removable drives as an added layer of protection.

Conclusion

Microsoft's discovery of Trojan:Win32/CryptoBandits.A highlights how threats targeting crypto users continue to evolve beyond traditional phishing attacks into more sophisticated and stealthy malware campaigns. By leveraging USB devices, malicious shortcuts, Tor, and clipboard hijacking techniques, this malware can steal sensitive information and redirect transactions without victims noticing.

For crypto users, simple habits such as double-checking wallet addresses, maintaining a clean device environment, and avoiding unknown files from external media remain critical defenses against asset-draining attacks. In the crypto ecosystem, personal device security remains the first line of defense before any transaction reaches the blockchain.