Microsoft Warns of Windows-Based Crypto Clipper Malware Hijacking Wallet Transfers

Microsoft has issued a warning about a new Windows-based crypto clipper malware that can steal wallet data and hijack cryptocurrency transfers. The malware, known as CryptoBandits.A, uses Tor to hide its command servers and has been spreading since February 2026.

The campaign uses malicious .lnk shortcuts and USB drives to infect devices, and the malware launches through Windows Script Host and ActiveX-based commands after a user opens a malicious shortcut. Once launched, the script starts a renamed Tor file called ugate.exe in a hidden window, which contacts hidden-service command servers through a local proxy.

The clipper monitors clipboard activity at a high rate to find crypto wallet addresses and other valuable data, replacing it with an attacker-controlled address if found. It can also steal seed phrases, private keys, and other wallet-related information, as well as take screenshots and send them to its command server.

Microsoft advised attention to endpoint behavior, removable drives, and suspicious shortcut activity, warning that the campaign shows how wallet transfers can be hijacked through common Windows features and user actions.