From Wallet Hijacking To Remote Control: Microsoft Exposes A New Wave Of Crypto Malware Targeting Windows Users | Metaverse Post

In Brief

Microsoft uncovers a Windows crypto clipper campaign using Tor-based infrastructure to steal wallet credentials, hijack transactions, and maintain remote access.

Technology company Microsoft has reported the discovery of a Windows-based cryptocurrency clipper malware campaign that has been targeting users since February 2026. The threat, identified by Microsoft Threat Intelligence and Microsoft Defender Experts, combines clipboard theft, cryptocurrency wallet targeting, and remote access capabilities to steal digital assets and maintain control over compromised systems.

The malware is designed to intercept sensitive cryptocurrency-related information, including wallet addresses, seed phrases, and private keys. Microsoft said the threat spreads primarily through malicious shortcut files (.lnk) distributed via removable USB drives. Once activated, the malware deploys additional components that enable persistence, data collection, and communication with attacker-controlled infrastructure.

Unlike traditional malware campaigns that rely on visible command-and-control servers, this campaign uses a bundled Tor proxy to hide network activity. The malware launches a portable Tor client through Windows Script Host and ActiveX-based scripts, routing communications through a local SOCKS5 proxy before connecting to hidden-service servers. This approach reduces visibility and allows attackers to maintain anonymous access to infected devices.

The attack combines two main functions: a propagation component that spreads through infected files and removable media, and a clipper-stealer component focused on cryptocurrency theft. The malware can create malicious shortcuts that appear to reference legitimate documents, causing users to unknowingly execute harmful code. It also creates scheduled tasks to maintain persistence and continue operating after system reboots.

A New Generation of Crypto Theft Infrastructure

The malware demonstrates a shift toward lightweight, script-based threats that combine financial theft with broader backdoor capabilities. After infection, the malware continuously monitors clipboard activity, searching for cryptocurrency-related data. When users copy wallet addresses, the malware can replace them with attacker-controlled addresses, redirecting transactions without the victim immediately noticing.

The threat also searches for Bitcoin and Ethereum-related private keys and BIP39 seed phrases, which are commonly used to recover cryptocurrency wallets. Captured information is transmitted to attackers through Tor-based channels, while screenshots are collected to provide additional context about wallet activity and account balances.

Microsoft highlighted that the malware includes remote command execution capabilities, allowing attackers to send instructions and execute additional code on infected systems. This expands the threat beyond a simple crypto clipper into a flexible tool capable of supporting further malicious activity.

Security researchers noted that the campaign relies heavily on behavioral indicators rather than traditional file-based detection. Suspicious activity includes script engines launching unexpected processes, cryptocurrency address manipulation, PowerShell-based screen capture, and unusual Tor proxy connections through localhost port 9050.

Microsoft Defender Antivirus detects related components of the malware family under the designation Trojan:Win32/CryptoBandits.A, while Microsoft Defender for Endpoint provides additional behavioral detections for suspicious scripting activity, data exfiltration attempts, and abnormal process execution.

Microsoft advised organizations to strengthen defenses against removable media threats, restrict unnecessary script execution, monitor suspicious proxy activity, and apply security controls against obfuscated scripts. The company also recommended reviewing clipboard monitoring behavior and investigating systems where scripting tools interact with network communication utilities.

The discovery highlights the growing sophistication of cryptocurrency-focused malware, with attackers increasingly combining automated wallet theft techniques, anonymous communication systems, and persistent access mechanisms. As digital assets continue to become more integrated into financial activity, security teams are expected to place greater emphasis on protecting wallet credentials and monitoring behaviors associated with crypto-targeting threats.