CryptoBandits Malware Spreads Through Windows-Based Shortcut Files

A Windows-based crypto clipper campaign has been spreading since February 2026, warns Microsoft Threat Intelligence. The malware, dubbed CryptoBandits, uses Tor-routed communication and wallet replacement to steal sensitive data.

The attack starts with malicious .lnk shortcut files that can arrive through USB storage devices and launch a worm component on infected Windows systems. Once active, the malware creates more malicious shortcuts from legitimate files found on the device, setting up scheduled tasks for persistence.

CryptoBandits also deploys a portable Tor client to route traffic through a local SOCKS5 proxy, hiding command traffic and making blocking harder. The malware checks the clipboard every 500 milliseconds, looking for seed phrases, private keys, and crypto wallet addresses. If it finds a wallet address, it can replace it with an attacker-controlled address.

The campaign goes beyond basic wallet address switching, allowing attackers to upload screenshots, contact hidden command servers, and run attacker-supplied code through an EVAL command. This turns the malware into a lightweight backdoor.