Microsoft uncovered a clever new malware that steals cryptocurrency by hijacking clipboard data. This malware, named Trojan:Win32/CryptoBandits.A, has been active since February 2026. It spreads through infected USB drives and uses the Tor network to hide its tracks.

The infection starts when someone plugs in a compromised USB drive. The malware hides inside shortcut files with a .lnk extension. When these files run, the malware activates silently on the computer. It then monitors the Windows clipboard every 500 milliseconds, looking for cryptocurrency wallet addresses, seed phrases, or private keys.

Once it detects a wallet address, it swaps it with one controlled by the attackers. This happens quietly, so users don’t notice the change. The malware targets wallets for six cryptocurrencies, including Bitcoin, Tron, and Monero. Bitcoin addresses it looks for start with 1, 3, bc1q, or bc1p. Tron addresses start with T, while Monero addresses begin with 4 or 8.

How the malware hides and communicates

CryptoBandits uses a portable Tor client to communicate with its command-and-control servers. It routes all traffic through a local SOCKS5 proxy on port 9050. This setup makes it hard for defenders to track or shut down the attackers’ control servers. The malware can also receive commands from these servers. One command type, called “EVAL,” allows attackers to run any code they want on infected machines.

Besides stealing wallet addresses, the malware captures five screenshots over ten seconds during its activity. These images are sent back to the attackers. This helps them gather extra information about the victim’s system and activities.

Technical tricks and defense advice

The malware authors use obfuscation to avoid detection. The main payload is a Python executable disguised with PyArmor and packaged with PyInstaller. There are also JavaScript parts with two layers of obfuscation. This complex setup helps the malware stay hidden from security tools.

Microsoft Defender detects this threat as Trojan:Win32/CryptoBandits.A. To protect yourself, Microsoft recommends disabling AutoRun and AutoPlay on your PC. Blocking the execution of .lnk files on removable media can prevent infection. It’s also wise to restrict the use of wscript.exe and cscript.exe, which the malware uses to run scripts. Keeping your security software updated is critical for catching this malware early.

Bitcoin’s price is currently $62,770, down 1.78% in the last 24 hours, with a market cap of $1.24 trillion. Given the high value of cryptocurrencies, this malware poses a serious threat to holders. Clipboard hijacking is a simple but effective trick. Many people copy and paste wallet addresses without double-checking them. This malware takes advantage of that trust to steal funds silently.

Infections like these highlight the risks of using removable media without caution. Even a single click on a malicious shortcut can lead to serious losses. Staying vigilant about USB usage and maintaining strong security measures is the best defense against threats like CryptoBandits.