Key Facts

• The malware, detected by Microsoft as Trojan:Win32/CryptoBandits.A, blends data theft with remote code execution, allowing attackers to push and execute arbitrary code on infected machines at any time.
• The crypto clipper steals clipboard data using “high-frequency clipboard theft, screenshot exfiltration, and wallet-address substitution,” and focuses on “high-value financial artifacts” from the clipboard, including BIP39 mnemonic seed phrases and Bitcoin and Ethereum private keys.
• The malware hides legitimate files and replaces them with lookalike shortcuts, so victims unknowingly execute malware while a worm component propagates automatically to USB storage devices, and also secretly installs a copy of Tor on the victim’s computer to connect to its malicious operators at hidden “onion” addresses.
• The execution of this clipper is notable because it does not depend on a traditional installer or exposed IP-based infrastructure, instead deploying two obfuscated JavaScript payloads in the Windows Documents directory and creating scheduled tasks for both the worm and stealer components.
• Microsoft recommended disabling autoplay on removable media, blocking .lnk execution from USB drives, and monitoring for proxy activity and spawned scripts to protect against this malware, which has seen a significant escalation in Windows-based crypto stealers in 2026, including a new Windows malware strain called Lucid Stealer that targets browser extensions and crypto wallets.