Microsoft warns a new Windows clipper is behaving more like a backdoor — and crypto users should take notice.
In a fresh advisory, Microsoft Threat Intelligence says a Windows-based crypto clipper campaign has been active since February 2026. Detected by Microsoft Defender Antivirus as Trojan:Win32/CryptoBandits.A, the malware goes far beyond simple wallet-address swapping: it combines clipboard theft and address replacement with worm-like spreading, Tor-based command-and-control, persistence mechanisms, and the ability to execute attacker code.
How the infection spreads and persists
- Initial infection often comes from malicious .lnk shortcut files, which can be delivered on USB drives. When opened, these shortcuts launch a worm component that creates additional malicious shortcuts from legitimate files found on the device.
- The worm sets scheduled tasks to ensure persistence across reboots.
- Instead of a large installer, the malware relies on script-based tools, making file-based detection harder.
Stealthy communications and clipboard theft
- The clipper deploys a portable Tor client and routes traffic through a local SOCKS5 proxy (localhost:9050), using .onion command-and-control domains to reduce DNS visibility and frustrate blocking.
- It polls the clipboard roughly every 500 milliseconds, searching for seed phrases, private keys, and wallet addresses. If it spots a wallet address it will replace it with an attacker-controlled address; if it finds a seed phrase or private key, it can exfiltrate that data over Tor.
From clipper to lightweight backdoor
- Microsoft says the malware can also upload screenshots, contact a hidden command server, and execute attacker-supplied code via an EVAL command—capabilities that turn a simple crypto stealer into a lightweight backdoor with continued access to infected machines.
Detection guidance and context
- Microsoft advises defenders to hunt for correlated behaviors rather than investigating isolated events. Specifically, teams should watch for script engines launching curl, cmd.exe, PowerShell, or unexpected files—especially when paired with localhost:9050 traffic.
- The new campaign follows other clipboard- and wallet-focused threats: StilachiRAT was previously linked to clipboard monitoring and browser wallet scanning, SparkCat used image scanning to find seed phrases in screenshots, and Binance has warned about clippers that replace copied wallet addresses.
Why this matters to crypto users
- Clipper malware is evolving from opportunistic address swapping into multi-stage attacks that spread, hide communications with Tor, steal keys and seed phrases, capture screens, and maintain long-term access to systems.
- Users should be wary of unknown USB devices and suspicious shortcuts, keep anti-malware tools up to date, and prefer hardware wallets or address-verification practices to reduce the risk of clipboard-based theft.
Microsoft’s alert underscores that clipper threats are becoming more layered and persistent — and that simple copy-and-paste habits can no longer be relied upon to keep crypto safe.
Read more AI-generated news on: undefined/news
