Microsoft has disclosed details of a newly identified Windows malware campaign that combines cryptocurrency theft, covert command-and-control communications, and remote access capabilities, creating a threat that extends well beyond traditional crypto-stealing malware.
Tracked as CryptoBandits, the malware has been active since at least February 2026 and is designed to compromise Windows systems through malicious shortcut (LNK) files. While its primary objective is to steal cryptocurrency-related information, Microsoft researchers found that the malware also functions as a lightweight backdoor, allowing attackers to maintain ongoing access to infected devices and issue remote commands.
According to Microsoft’s analysis, the threat relies heavily on built-in Windows scripting technologies, including Windows Script Host and ActiveX components, to execute malicious actions while avoiding more obvious indicators typically associated with conventional malware families. Once executed, CryptoBandits deploys a portable version of the Tor anonymity network and establishes communications with attacker-controlled hidden services through a local SOCKS5 proxy, concealing the infrastructure used to manage infected systems.
Researchers observed the malware being distributed through malicious shortcut files that masquerade as legitimate content. After compromising a system, CryptoBandits deploys two distinct modules: a worm component responsible for spreading the infection and a cryptocurrency clipper designed to monitor and manipulate wallet-related data.
The propagation mechanism enables the malware to scan connected USB storage devices and generate additional malicious shortcut files that imitate legitimate documents. By replacing or disguising genuine files with weaponized shortcuts, attackers increase the likelihood that the malware will spread when removable media is shared between systems. Microsoft also noted that the malware can deploy additional payloads while excluding them from Microsoft Defender scanning, helping attackers reduce the likelihood of detection.
One of the most dangerous aspects of CryptoBandits is its clipboard-monitoring functionality. Cryptocurrency clippers are designed to watch for wallet addresses copied by victims during transactions. When a targeted wallet address is detected, the malware silently replaces it with an attacker-controlled address before the victim pastes the information into a cryptocurrency application or exchange platform. Because cryptocurrency addresses are often long and difficult to verify manually, victims may unknowingly transfer digital assets directly to criminal-controlled wallets.
Beyond address substitution, Microsoft found that the malware can harvest cryptocurrency seed phrases and private keys, information that can provide direct access to digital wallets. The malware also captures screenshots and transmits collected information to attacker-controlled infrastructure through Tor-based communications channels.
The malware establishes persistence through scheduled tasks and incorporates anti-analysis checks intended to identify whether system monitoring tools are active. Researchers observed the clipper verifying whether Windows Task Manager was running before continuing execution, a technique commonly used by malware operators attempting to evade investigation and detection.
After installation, CryptoBandits launches a renamed Tor executable and registers the infected device with its command-and-control infrastructure. The malware then continuously polls its operators for instructions at intervals of roughly 500 milliseconds, enabling rapid execution of attacker-issued commands. This capability transforms the malware from a simple financial stealer into a remotely managed backdoor capable of supporting additional malicious activity.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: