Microsoft has issued a warning about a Windows-targeted malware known as CryptoBandits. This malicious software functions as a cryptocurrency clipper while also opening a backdoor for data theft and remote code execution (RCE).
How CryptoBandits Operates
Active since February 2026, CryptoBandits infiltrates systems by deploying a portable Tor client. This client routes traffic via a local SOCKS5 proxy, facilitating communication with a hidden command-and-control (C&C) server. The malware uses Windows Script Host and ActiveX-driven mechanisms to execute its tasks.
CryptoBandits is designed for clipboard hijacking, replacing cryptocurrency wallet addresses with attacker-provided ones. It also performs screenshot exfiltration and steals sensitive wallet data. This makes it a significant threat to users holding digital currencies.
Distribution and Persistence
The malware spreads through malicious shortcut (.lnk) payloads. Once installed, it deploys a worm to propagate and a clipper to steal cryptocurrency information. It scans USB devices to replicate itself by creating fake shortcuts of legitimate files. Additionally, it delivers file-based payloads that bypass Defender scanning.
To maintain its presence, CryptoBandits uses scheduled tasks and checks for the Task Manager as an anti-analysis measure. This allows it to persist on infected systems without detection.
Technical Aspects and Obfuscation
CryptoBandits employs a renamed Tor binary to establish a secure C&C communication channel. The malware continuously polls the server every 500 milliseconds for new instructions. It extracts cryptocurrency seed phrases and private keys, posing a severe risk to digital asset security.
Microsoft highlights the malware’s use of multi-layered obfuscation techniques. Both the installation script and the JavaScript payloads are heavily obfuscated, decrypting only at runtime to evade detection.
Organizations are advised to strengthen their defenses by securing script execution paths, monitoring for local SOCKS proxy abuse, and employing behavioral analysis techniques to detect malicious activity early.
In conclusion, the CryptoBandits malware demonstrates how lightweight, script-based attacks can have a substantial impact when combined with anonymized communications. Vigilance and robust cybersecurity measures are essential to combat such evolving threats.
