ChainCatcher report: Microsoft’s Threat Intelligence Team has officially disclosed a Windows crypto Trojan threat active since February 2026. This malware combines “worm-like propagation, clipboard hijacking, and Tor anonymous communication” to target digital asset users. Microsoft analysis reveals that the malicious program spreads via disguised shortcut (.lnk) files across removable storage devices and employs WScript and ActiveX to execute script logic, automatically deploying a local Tor client that connects through the 127.0.1:9050 proxy to onion hidden service C2 servers for anonymous control and data exfiltration. The attack chain includes multiple malicious capabilities: continuous monitoring of clipboard content, theft of mnemonic phrases and private keys, screenshot capture and upload, and “address replacement” when users copy cryptocurrency addresses—substituting the target address with one controlled by the attacker to facilitate fund theft. Additionally, the Trojan exhibits worm-like propagation, automatically replicating itself onto USB drives and other devices, creating scheduled tasks for persistence, and incorporating basic anti-analysis measures (such as detecting Task Manager to evade debugging). At the detection level, Microsoft has classified it under the Trojan:Win32/CryptoBandits family and blocks it based on behavioral indicators—including anomalous WScript calls, localhost:9050 proxy traffic, and PowerShell screenshot activity. Security researchers recommend prioritizing defenses against script execution paths and monitoring for anomalous local proxy traffic.
Microsoft Discovers New Crypto Trojan Spreading via Tor and Stealing Wallet Addresses
ChaincatcherShare
Summary
Microsoft has identified a new crypto Trojan, Trojan:Win32/CryptoBandits, spreading via .lnk files and using Tor to connect to an onion C2 server. The malware steals wallet addresses from the clipboard and replicates itself, and includes anti-analysis features. The threat has been active since February 2026. Security experts recommend monitoring script execution and local proxy traffic. Traders and platforms tracking new token listings should remain alert to such cryptocurrency developments.
Source:Show original
Disclaimer: The information on this page may have been obtained from third parties and does not necessarily reflect the views or opinions of KuCoin. This content is provided for general informational purposes only, without any representation or warranty of any kind, nor shall it be construed as financial or investment advice. KuCoin shall not be liable for any errors or omissions, or for any outcomes resulting from the use of this information.
Investments in digital assets can be risky. Please carefully evaluate the risks of a product and your risk tolerance based on your own financial circumstances. For more information, please refer to our Terms of Use and Risk Disclosure.