The malware, active since February 2026, steals seed phrases and replaces wallet addresses via malicious shortcuts and USB drives.
Microsoft identified a Windows-based crypto clipper malware, dubbed Trojan:Win32/CryptoBandits.A, that has been active since February 2026. The malware spreads through malicious .lnk shortcuts and USB drives, deploying a Tor proxy to connect to hidden command-and-control servers.
The malware can exfiltrate clipboard data, seed phrases, and private keys, while also replacing cryptocurrency wallet addresses and capturing screenshots. It leverages Windows Script Host and ActiveX to execute its payload, posing a significant risk to crypto asset security.
Microsoft Defender Antivirus detects the threat, but its persistence and distribution methods highlight ongoing vulnerabilities in crypto transaction security.