What is Trojan:Win32/CryptoBandits.A and how does it spread?

Trojan:Win32/CryptoBandits.A is a new strain of malware identified by Microsoft. It spreads through USB drives using Windows shortcut (LNK) files, replacing original files when opened.

Which cryptocurrencies does Trojan:Win32/CryptoBandits.A target?

Trojan:Win32/CryptoBandits.A targets Bitcoin (legacy, P2SH, native SegWit, and Taproot addresses), Tron, Monero, Ethereum private keys, and Bitcoin WIF keys.

How does Trojan:Win32/CryptoBandits.A use Tor for command-and-control?

The malware deploys a portable Tor client named ugate.exe and configures a SOCKS5 proxy on localhost port 9050, making it harder to intercept or trace the communications through Tor's .onion network.

What makes Trojan:Win32/CryptoBandits.A difficult to address?

The campaign's use of Tor-based command-and-control infrastructure makes it harder to address at the network layer, as the malware does not communicate with fixed IP addresses or domain names that defenders can blocklist.

Microsoft Identifies New Cryptocurrency Malware Spreading via USB Drives

Q: How does Trojan:Win32/CryptoBandits.A steal cryptocurrency?

The malware steals cryptocurrency by clipboard hijacking, looking for patterns that match cryptocurrency wallet addresses or recovery phrases and replacing the copied address with one controlled by the attacker.

A self-propagating malware, Trojan:Win32/CryptoBandits.A, targets cryptocurrency wallets using clipboard hijacking and Tor network for command-and-control infrastructure.

A new strain of self-propagating malware has been identified by Microsoft, targeting cryptocurrency wallets and spreading through USB drives using a Windows shortcut file (LNK) worm. The campaign, which has been active since at least February 2026, relies on clipboard hijacking to steal funds from unsuspecting users.

What Happened

The malware, detected as Trojan:Win32/CryptoBandits.A by Microsoft, works as a classic USB worm with a modern payload. When a user plugs in an infected drive, they see what appears to be their usual document files. The originals have been hidden, replaced by Windows shortcut (.lnk) files bearing the same names that silently execute the malware when opened.

The .lnk files scan the drive for documents with .doc, .xlsx, and .pdf extensions, hide the originals, and create matching shortcut files in their place. The worm component also writes itself to any new USB drive connected to an infected machine, allowing it to spread further without user action beyond opening what looks like a normal file.

Once running on a system, the malware deploys a portable Tor client renamed ugate.exe and configures a SOCKS5 proxy on localhost port 9050. All command-and-control traffic then routes through Tor's .onion network, making it significantly harder for corporate firewalls and security tools to intercept or trace the communications.

Background and Context

The malware's primary theft mechanism is clipboard monitoring, which checks the Windows clipboard approximately every 500 milliseconds, looking for patterns that match cryptocurrency wallet addresses or recovery phrases. When it detects a match, it silently replaces the copied address with one controlled by the attacker, so the victim unknowingly sends funds to the wrong wallet.

The malware targets six cryptocurrencies across multiple address formats: Bitcoin (legacy addresses starting with "1," Pay-to-Script-Hash addresses starting with "3," native SegWit addresses starting with "bc1q," and Taproot addresses starting with "bc1p"), Tron addresses beginning with "T", Monero addresses beginning with "4" or "8", Ethereum private keys, and Bitcoin WIF keys.

The campaign's use of Tor-based command-and-control infrastructure makes it harder to address at the network layer. Rather than communicating with fixed IP addresses or domain names that defenders can blocklist, the malware deploys a portable Tor client and routes traffic through a local SOCKS5 proxy, exfiltrating screenshots and clipboard data over the Tor network.

Why It Matters to the Industry

The use of USB worms and Tor-based command-and-control infrastructure is particularly concerning for adult-industry platforms and operators. The malware's ability to spread through USB drives without user action makes it a significant threat, especially in environments where users may be more likely to plug in unknown devices.

Furthermore, the clipboard hijacking mechanism used by this malware is similar to other threats that have targeted cryptocurrency wallets in the past. This highlights the ongoing need for robust security measures and regular updates to protect against evolving threats.

What Comes Next

Microsoft's defensive guidance emphasizes the importance of behavioral detections, such as watching for renamed Tor binaries, SOCKS5 proxy creation from script engines, and clipboard polling at 500-millisecond intervals. Disabling AutoRun for removable media and locking down LNK execution from USB drives via Group Policy are also recommended.

Industry operators should take note of these recommendations and consider implementing similar measures to protect against this type of threat. Regular security updates, monitoring, and user education will be crucial in preventing the spread of this malware and other similar threats.

Key Facts

The campaign has been active since at least February 2026.
The malware targets six cryptocurrencies across multiple address formats.
The malware uses clipboard hijacking to steal funds from unsuspecting users.
The campaign relies on Tor-based command-and-control infrastructure, making it harder to address at the network layer.
Microsoft recommends disabling AutoRun for removable media and locking down LNK execution from USB drives via Group Policy.