CryptoBandits malware uses USB shortcuts to steal crypto
Microsoft reports CryptoBandits spreads via malicious .lnk files on USB drives, steals seed phrases and keys, swaps copied addresses and exfiltrates data over Tor.
Microsoft’s June 17 Security Blog reported a Windows malware family named CryptoBandits, detected as CryptoBandits.A, active since February 2026 and spreading via malicious .lnk shortcut files on USB drives.
The shortcuts execute a worm component when a user opens what appears to be a document on removable media. The worm scans the USB drive for common document types, hides the original files and replaces them with new shortcut files that launch the payload.
The payload drops obfuscated JavaScript files under C:\Users\Public\Documents and creates scheduled tasks to maintain persistence. One scheduled task targets newly inserted USB devices for propagation while another runs data-stealing operations.
After establishing a foothold, the malware polls the system clipboard about every 500 milliseconds and searches for wallet material. The code looks for 12- and 24-word BIP39 seed phrases, Bitcoin WIF keys, Ethereum private keys and cryptocurrency addresses. When it finds a seed phrase or private key, the malware can save it locally and send it to the attacker. When it detects a copied recipient address, the malware can replace that value in the clipboard with an attacker-controlled address. Some replacements are crafted to resemble the original address by matching initial characters or altering only the final character in certain address formats.
CryptoBandits captures screenshots and routes command-and-control traffic through Tor by creating a local SOCKS5 proxy on localhost:9050. Routing through a local proxy can make network-level blocking more difficult because the traffic appears to originate from the affected machine.
Microsoft’s report advises defenders to look for behavioral chains in which script engines launch tools such as curl, cmd.exe or PowerShell, and for unexpected localhost proxy activity. The company recommends disabling AutoRun and AutoPlay for removable media, blocking execution of .lnk files from removable drives through Group Policy, restricting use of script hosts such as wscript.exe and cscript.exe, and reviewing Attack Surface Reduction rules for obfuscated scripts and suspicious child-process behavior. Teams should monitor for PowerShell screen-capture activity, clipboard access, and local SOCKS5 proxy behavior on devices that handle wallet workflows.
Microsoft Defender includes detections for Trojan:Win32/CryptoBandits.A and related JavaScript indicators and provides EDR coverage for suspicious JavaScript processes, curl-based exfiltration and Task Scheduler activity.
The Security Blog did not provide victim counts, confirmed theft totals, geographic distribution or attribution. Microsoft’s guidance for self-custody workflows includes using separate, hardened devices for signing and transferring funds, avoiding copy-and-paste address workflows when possible, verifying full destination addresses on a trusted display, keeping recovery phrases off networked machines, isolating a suspected endpoint and rotating any exposed wallet material.








