Microsoft Warns of CryptoBandits Malware Using USB Worm Tactics and Tor Network

Microsoft has detailed a newly discovered malware campaign that combines several techniques rarely seen together in modern cybercrime operations, reviving the tactics of old USB-borne worms while targeting one of today’s most lucrative assets: cryptocurrency. The campaign, which Microsoft researchers have tracked since February 2026, revolves around a piece of malware known as a “crypto clipper.” Such malware is designed to intercept cryptocurrency transactions by replacing wallet addresses copied to a victim’s clipboard. However, researchers say this campaign goes far beyond a typical clipper operation.

According to Microsoft’s analysis, the malware is capable of spreading through removable storage devices, maintaining long-term persistence on infected systems, and communicating with attackers through the Tor anonymity network. The combination has led researchers to classify it as a more sophisticated threat than the average cryptocurrency-stealing malware. Microsoft Defender detects it as Trojan/CryptoBandits.A.A.

A USB Infection Method That Resembles Older Worm Campaigns

One of the most unusual aspects of the campaign is how it spreads. While most contemporary malware relies on phishing emails, malicious advertisements, or compromised software downloads, this operation uses removable USB drives as a propagation mechanism.

Microsoft found that the malware hides legitimate files stored on a USB device and replaces them with shortcut files designed to appear identical to the originals. When a user opens what appears to be a document, the shortcut launches malicious scripts in the background while preserving the illusion that the intended file was opened normally.

Researchers noted that the malware is capable of copying itself onto newly connected removable drives, allowing it to move from one machine to another without relying on internet-based distribution. This worm-like behavior echoes techniques widely used by malware families more than a decade ago but is now rarely observed in campaigns focused on cryptocurrency theft. The approach gives attackers a reliable way to spread inside environments where users frequently exchange files through portable storage devices.

The campaign also reflects a broader trend in Microsoft’s recent threat intelligence findings. Researchers have increasingly observed attackers combining traditional infection techniques with modern infrastructure and automation tools to improve success rates. Similar patterns have appeared in recent phishing operations that leveraged advanced technologies to target organizations at scale.

More Than a Cryptocurrency Clipper

Once installed, the malware begins monitoring the system for cryptocurrency-related activity. Its primary objective remains financial theft. The malware continuously monitors the clipboard every 500 milliseconds and searches for cryptocurrency wallet addresses. When a victim copies a wallet address to send funds, the malware can replace it with an address controlled by the attacker.

The replacement process is sophisticated. It creates similar-looking wallet addresses by matching the first few or last characters of legitimate addresses, particularly for Bitcoin Legacy, P2SH, Taproot, Tron, Monero, and other popular cryptocurrencies. This makes the swap harder for users to notice before confirming a transaction. Because blockchain transactions are generally irreversible, funds sent to an attacker’s wallet are often impossible to recover.

Microsoft’s investigation found that the malware also searches for wallet recovery phrases, private keys, and other cryptocurrency-related credentials. Researchers observed screenshot-capturing functionality that takes multiple screenshots at 10-second intervals, suggesting the operators are interested in gathering additional information from compromised devices. The malware stores much of its functionality in encrypted form and uses obfuscated JavaScript components to make analysis more difficult. Microsoft also noted that some modules contain checks designed to identify security tools or analysis environments, including Task Manager, helping the malware avoid detection.

These capabilities indicate that the campaign is not limited to simple clipboard manipulation. Instead, it appears designed to establish continued access while maximizing opportunities for cryptocurrency theft. The malware also supports remote code execution through “EVAL” commands received from its command-and-control infrastructure.

Tor Infrastructure Raises Additional Concerns

Perhaps the most significant finding in Microsoft’s report is the campaign’s use of the Tor network. The malware launches a renamed Tor binary called “ugate.exe” and connects to hidden services hosted within Tor. This provides attackers with an additional layer of anonymity and makes infrastructure tracking significantly more difficult. Researchers observed that infected systems could receive commands from operators, download additional payloads, and execute tasks remotely. While Microsoft has not described the malware as a full-featured remote access trojan, the command capabilities suggest operators can expand their activities beyond clipboard hijacking if needed.

The use of Tor also complicates defensive efforts. Security teams can often identify and block known command-and-control infrastructure, but hidden services are considerably harder to attribute and disrupt. Security experts note that reducing the impact of threats like CryptoBandits requires more than endpoint protection alone. Strong access controls, device management policies, and operational security practices can help organizations limit the spread of malware and prevent unauthorized access to sensitive systems and cryptocurrency-related assets.

For Microsoft researchers, the campaign highlights an emerging trend in cybercrime. Rather than relying on a single technique, attackers are increasingly combining older propagation methods, credential theft capabilities, persistence mechanisms, and anonymous communications infrastructure into modular operations that can remain active for extended periods.

Microsoft has released detections and mitigation guidance for customers, but the company has not indicated whether the infrastructure behind the campaign has been dismantled. As a result, security researchers continue to treat the operation as an active threat. The discovery serves as a reminder that even as cybercriminals pursue new opportunities in cryptocurrency, they are often willing to revive older attack methods if those techniques still provide a path into targeted systems. In this case, a tactic once associated with USB worms has been adapted for an era increasingly shaped by digital assets.