Microsoft Identifies New Crypto Malware Targeting Wallet Addresses and Private Keys

• Microsoft found crypto clipper malware constructed on the Windows operating system, which is involved in stealing credentials and cryptocurrency addresses.
• The malware operates with the help of the Tor network, malicious shortcuts, and a USB drive.

In February 2026, Microsoft Threat Intelligence and Microsoft Defender Experts found a crypto clipper attack. This was a campaign that was constructed on Windows. The malware exploits cryptocurrency holders through clipboard hijacking and searches for sensitive wallet information. These were reported by Microsoft through their blog.

Attackers primarily spread this malware through malicious .lnk shortcut files distributed on USB drives.The activation of this malicious code leads to the release of two modules by the malware. One module spreads the malware across systems, while the other operates as a clipper and information stealer. Microsoft Defender Antivirus identifies the threat as Trojan/CryptoBandits.A.

Unlike most malware operations, this one does not require the use of an installer or any control servers since it uses the Windows Script Host and ActiveX technology to launch a packaged Tor proxy. It then uses a SOCKS5 proxy on the infected computer and then connects to the control servers, which run on Tor Hidden Service.

Malware Snatches Wallet Information and Swaps Addresses

Following the infection of the system, the malware constantly tracks any clipboard content and looks for recovery phrases, private keys, and wallet addresses. According to Microsoft, the malware targets precisely 12-word and 24-word recovery phrases, Bitcoin private keys, and Ethereum private keys. It swaps the copied wallet addresses with ones controlled by the attackers before users finish their transactions.

The malware takes screenshots and sends them via Tor connections, which allows the attackers to get more information on wallet balances and activities of users. Also, Microsoft stated that the malware has the ability of remote code execution, giving the attackers the possibility to send additional instructions while ensuring persistence through the use of scheduled tasks and encryption of malicious parts of the malware.

Researchers identified several indicators of compromise, including suspicious JavaScript execution, localhost:9050 proxy activity, PowerShell-based screenshot capture, and clipboard monitoring behavior. Microsoft recommended that organizations disable auto-run features. They would also limit script interpreters and executable shortcuts from USB drives, and monitor any suspicious activity related to this. This malware campaign underscores the continued growth of cryptocurrency usage among investors and users.

Highlighted Crypto News:

Ethereum Foundation Faces Another Departure as Hsiao-Wei Wang Steps Down