Microsoft Threat Intelligence and Defender Experts have uncovered a sophisticated Windows-based cryptocurrency clipper active since February 2026. Tracked by Microsoft Antivirus as Trojan:Win32/CryptoBandits.A, the malware marks a significant evolution in financial threat vectors. Instead of acting as a simple, isolated stealer, it operates as a lightweight backdoor, combining automated clipboard theft with worm-like propagation mechanics and an anonymized infrastructure framework.
The malware primarily spreads via physical vectors, relying on malicious shortcut (.lnk) files distributed on infected USB storage devices.
Hybrid Infection and Execution Flow
Once a user interacts with an infected shortcut, the multi-stage threat splits into two parallel, self-sustaining operational tracks to maximize both persistence and propagation.
The worm component scans the local architecture for common documents (.doc, .pdf, .xlsx), hides the original files, and replaces them with matching malicious shortcuts. Concurrently, the stealer drops heavily obfuscated JavaScript payloads into public directories, creating indefinite scheduled tasks to ensure system control.
Algorithmic Wallet Address Replacement
The primary monetization mechanic relies on high-frequency regex pattern matching to intercept transactions. Every 500 milliseconds, the malware inspects the clipboard. If a cryptocurrency address is detected, it is instantly replaced with an attacker-controlled alternative tailored to match the original format.
For instance, Bitcoin Legacy (starting with “1”) and P2SH (starting with “3”) addresses are swapped with addresses matching the first two characters of the victim’s intended destination. For Bech32 and Taproot formats, the malware matches the trailing characters, drastically reducing the likelihood of a user noticing the substitution prior to initiating a transaction.
Organizations must look past basic file hashes and prioritize behavioral hunting. Key indicators of compromise include script interpreters (wscript.exe, cscript.exe) spawning unexpected child processes, unusual local SOCKS5 proxy routing on port 9050, and automated screen-capture execution within PowerShell.
To mitigate this threat vector, network administrators should restrict unauthorized script-host execution, enforce strict Attack Surface Reduction (ASR) rules, and fully disable AutoRun policies for all removable external media across enterprise endpoints
