Microsoft: clipper malware has evolved into a lightweight backdoor that targets crypto users
Microsoft Threat Intelligence is warning of an active Windows-based crypto clipper campaign, tracked since February 2026, that no longer just swaps wallet addresses — it now behaves more like a persistent backdoor.
What Microsoft found
- Detection: Microsoft Defender flags the malware as Trojan:Win32/CryptoBandits.A.
- Multi-pronged behavior: the campaign combines clipboard theft, wallet-address replacement, worm-like spreading, and Tor-based communications.
- Infection vector: attacks begin with malicious .lnk shortcut files, often delivered via USB storage. When opened, these shortcuts launch a worm component that creates more malicious shortcuts from legitimate files on the device.
- Persistence and stealth: the malware creates scheduled tasks to survive reboots and relies on script-based tools (instead of a large installer), complicating simple file-based detection.
- Anonymous comms: a portable Tor client is deployed and traffic is routed through a local SOCKS5 proxy (localhost:9050) to .onion command-and-control domains, reducing DNS visibility and making blocking harder.
How it targets crypto assets
- Rapid clipboard monitoring: the clipper polls the clipboard about every 500 ms, searching for seed phrases, private keys, and crypto wallet addresses.
- Address replacement and data exfiltration: if a wallet address is found it can be replaced with an attacker-controlled address. If a seed phrase or private key is detected, the malware can send that data out through Tor.
- Beyond clipping: the campaign can upload screenshots, contact hidden command servers, and execute attacker-supplied code via an EVAL command. Those capabilities turn a simple clipper into a lightweight backdoor with remote-control functionality.
Microsoft’s guidance
Microsoft advised defenders to “hunt for correlated behaviors rather than investigate isolated events.” Specific signs to watch for include:
- Script engines launching curl, cmd.exe, PowerShell, or unexpected files
- Localhost:9050 traffic (indicating a Tor SOCKS proxy)
- New or unusual scheduled tasks
- Malicious .lnk files or unexplained shortcut creation
Context and trend
This warning builds on other recent crypto-targeting malware activity: Microsoft-linked alerts about StilachiRAT (clipboard monitoring and wallet scanning), reports on SparkCat (image scanning for seed phrases in screenshots), and earlier warnings from Binance about clipper malware replacing copied wallet addresses. Microsoft’s new report highlights that clippers are becoming more layered — they no longer just wait for a copied address, but can propagate, hide traffic through Tor, steal seed data, capture screens, and maintain long-term access.
Practical steps for users and teams
- Be cautious with USB drives and untrusted shortcuts; disable autorun where possible.
- Keep Windows and antivirus definitions up to date; Microsoft Defender detects this threat as Trojan:Win32/CryptoBandits.A.
- Verify addresses manually (or via hardware wallets/QR codes) rather than relying solely on clipboard copy-paste.
- Monitor for localhost:9050 or unexpected Tor activity, unusual scheduled tasks, and script processes spawning network tools.
- Incident responders should correlate these behaviors rather than treating single alerts in isolation.
The takeaway: clipboard-stealing clippers have matured into stealthier, more persistent threats that can do far more than swap addresses. Crypto users and security teams should bolster hygiene and hunt for the combined indicators described above.
Read more AI-generated news on: undefined/news
