Microsoft's security team has detailed a two-stage malware campaign that exploits USB drives to reach cryptocurrency holders. Tracked as Trojan:Win32/CryptoBandits.A and nicknamed "Crypto Clipper," the threat has been active since at least February 2026, according to Microsoft's June 17 threat report.
The attack chain begins with a deceptive file swap on infected USB media. When a victim plugs in the drive, they see what appears to be normal documents. The originals are hidden, replaced by identically named shortcut files that execute the worm payload when opened. This simple substitution works because users trust USB drives they've received from colleagues or have used on shared computers. From there, the worm scans for other USB drives, hides their files, and plants fresh shortcuts. It also creates scheduled tasks to survive reboots and whispers a request to Windows Defender to ignore its own payloads.
How the stealer component operates
Once installed, the malware's crypto-targeting logic runs on a tight loop. It polls the Windows clipboard every 500 milliseconds, hunting for patterns that match wallet addresses and seed phrases. When detected, it harvests them directly to the attacker's command server, accessible only via a local Tor proxy that the malware deploys on the infected machine. But the real damage comes next: when a victim copies a recipient address to send funds, the clipper silently swaps in an attacker-controlled address before paste. The transaction goes through to the wrong wallet, and the funds vanish.
The malware also captures five screenshots at ten-second intervals whenever sensitive clipboard data appears, giving operators a visual record of what the victim was doing and which windows were open at the moment of compromise.
Remote control and obfuscation
CryptoBandits includes a remote code execution command called EVAL that allows operators to push and execute arbitrary code on infected machines without requiring reinstallation. This transforms the threat from a financial stealer into a general-purpose remote access tool. The initial payload is obfuscated using PyArmor and PyInstaller, and dropped JavaScript receives a separate dual-layer obfuscation pass. The malware also detects Task Manager and exits immediately if it's running, complicating live analysis.
Physical media propagation was thought to be fading as cloud storage became standard. CryptoBandits resurrects this vector because it preys on routine, low-suspicion behavior. A colleague borrows your drive, or you use one at a shared workstation, and the infection travels invisibly to a new network. For cryptocurrency holders, the stakes are acute: stolen cryptocurrency transactions are typically irreversible. Once an attacker substitutes a wallet address and the payment is confirmed on-chain, recovery is near impossible.
Mitigation and detection
Microsoft has published SHA-256 hashes, MITRE ATT&CK mappings, and KQL hunting queries to help security teams find existing infections. The recommended defenses are straightforward: disable AutoRun/AutoPlay on USB media, block .lnk file execution from removable drives via Group Policy, restrict Windows Script Host to prevent script payloads from running, and monitor for suspicious connections to localhost:9050, which signals Tor proxy activity. Microsoft Defender currently detects the malware family. The company's Defender Experts team assisted in the investigation but has not attributed the campaign to a specific threat actor or disclosed the total infection count.