Microsoft disclosed an active Windows cryptocurrency theft campaign that spreads through malicious .lnk shortcut files, often delivered via USB devices, and combines worm-like propagation with a script-based clipper and stealer. The malware has been active since February 2026 and uses Windows Script Host, ActiveX, and a bundled Tor client to reach hidden-service command-and-control infrastructure through localhost:9050, avoiding conventional installer and IP-based infrastructure. Microsoft said the threat is detected as Trojan:Win32/CryptoBandits.A and related CryptoBandits signatures.
Once installed, the malware monitors the clipboard roughly every 500 milliseconds for BIP39 seed phrases, Ethereum keys, Bitcoin WIF keys, and wallet addresses, then replaces copied cryptocurrency addresses with attacker-controlled ones while also stealing screenshots. Microsoft said the operators added persistence through scheduled tasks, Defender exclusions, layered obfuscation, and packaging with PyArmor and PyInstaller, while also terminating execution if Task Manager is detected. The campaign also supports remote code execution through an EVAL command from its C2, effectively giving the operators lightweight backdoor access; defenders were urged to block .lnk execution from removable media, restrict script hosts, and hunt for suspicious script activity, clipboard inspection, curl-based exfiltration, PowerShell screen capture, and Tor SOCKS5 traffic over localhost:9050.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
2 events from the most recent confirmed update back to the earliest known activity.
Microsoft Threat Intelligence and Microsoft Defender Experts reported a Windows-based cryptocurrency clipper campaign that has been active since February 2026. The campaign spreads via malicious .lnk files, often on USB devices, and includes worm-like propagation and persistence features.
On 2026-06-17, Microsoft published technical details on the campaign, describing its use of Windows Script Host, ActiveX, a bundled Tor client, clipboard theft, wallet address replacement, screenshot exfiltration, and remote code execution via an EVAL command. Microsoft also shared detection guidance and noted Defender detections for the malware family.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
12 references tracked. Mallory keeps watching after this page renders.
hackread.com
Open sourcexakep.ru
Open sourcesecurityweek.com
Open sourcecybersecuritynews.com
Open sourcecysecurity.news
Open sourcecommunity.gurucul.com
Open sourcemalware.news
Open sourcemicrosoft.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.