Microsoft is warning cryptocurrency users about a new strain of Windows malware that does much more than hijack wallet addresses. The threat, dubbed Trojan:Win32/CryptoBandits.A, can steal sensitive crypto data, secretly replace copied wallet addresses, spread to other devices, and even give attackers remote access to infected systems.
According to a Microsoft Threat Intelligence report released Thursday, the campaign has been active since at least February 2026 and reflects a growing trend of increasingly sophisticated malware targeting digital asset holders.
Unlike traditional crypto clippers, which simply swap a copied wallet address for one controlled by an attacker, the new malware combines several techniques into a single attack.
How does the malware function?
Microsoft said infections typically begin with malicious Windows shortcut (.lnk) files, which can be distributed through USB storage devices. Once opened, the malware installs a worm component that creates additional infected shortcuts from legitimate files found on the device, helping it spread to other systems.
The malware also takes steps to stay hidden. It creates scheduled tasks that allow it to survive reboots and relies on lightweight scripts instead of large installation files, making detection more difficult for conventional security tools.
To further conceal its activity, the malware deploys a portable Tor client and routes communications through a local SOCKS5 proxy to hidden .onion servers. Microsoft said this approach reduces the visibility of its network traffic and makes it harder for defenders to disrupt the attack.
The malware’s primary target is cryptocurrency-related information stored or copied by users. It checks the Windows clipboard roughly every half second, looking for wallet addresses, recovery seed phrases, and private keys.
If it detects a wallet address, it can quietly replace it with one belonging to the attacker. A user who pastes the address without double-checking could unknowingly send funds to a criminal’s wallet.
The threat doesn’t stop there. If seed phrases or private keys are found, the malware can send that information through the Tor network, potentially giving attackers complete control over a victim’s crypto assets.
New crypto malware can take screenshots and run remote commands
In its report, Microsoft also said the malware also includes features not commonly associated with clipper attacks. It can take screenshots of an infected device, communicate with hidden command servers, and execute new code supplied by attackers. Those capabilities effectively turn it into a lightweight backdoor that can perform additional malicious tasks after the initial infection.
The company urged security teams to focus on combinations of suspicious activity rather than isolated events.
“Defenders should hunt for correlated behaviors rather than investigate isolated events,” Microsoft said, pointing to script engines launching tools such as PowerShell, cmd.exe, and curl alongside unusual localhost:9050 network traffic as potential warning signs.
The latest discovery adds to a growing list of crypto-focused cyber threats. Earlier this year, Microsoft warned about StilachiRAT, malware capable of targeting browser-based cryptocurrency wallets and monitoring clipboard activity.
SparkCat malware was designed to scan screenshots for wallet recovery phrases, while Binance has previously alerted users to clipboard hijacking attacks that replace copied wallet addresses.
Microsoft’s findings suggest crypto malware is evolving beyond simple wallet swapping. Modern threats can spread between devices, hide their communications, steal sensitive wallet information, capture screenshots, and maintain long-term access to infected systems.
For crypto users, the advice remains straightforward: avoid opening suspicious shortcut files, keep security software updated, and always verify wallet addresses before confirming a transaction. A quick check could be the difference between a successful transfer and losing funds to attackers.
