CryptoBandits malware uses USB shortcuts to steal crypto

Microsoft’s June 17 security report identifies CryptoBandits as a Windows malware family active since February 2026 that spreads through malicious .lnk shortcut files on removable USB drives. The report details how the shortcut launches a worm component that hides original files on the drive, replaces them with look-alike shortcuts, and drops an obfuscated JavaScript payload under C:\Users\Public\Documents.

The malware uses scheduled tasks for persistence. One scheduled task focuses on spreading to newly inserted USB drives while another runs data-stealing and monitoring functions. After installation the malware continuously polls the Windows clipboard at roughly 500 millisecond intervals and searches for 12- or 24-word BIP39 seed phrases, Bitcoin WIF keys, Ethereum private keys and cryptocurrency addresses.

When a seed phrase or private key is found the malware can save it locally and send it to a command-and-control server over Tor. When a user copies a recipient address the malware can replace the value with an attacker-controlled address. Microsoft documents several replacement techniques, including matching the initial characters of Bitcoin, Tron or Monero addresses and changing only the final character of some Bech32 Bitcoin addresses to appear similar on cursory inspection.

CryptoBandits also captures screenshots and other wallet context and routes communications through a local Tor proxy. The use of a localhost SOCKS5 proxy makes simple network blocking less effective and can complicate detection based solely on external network connections.

The report lists detection and mitigation steps. Recommended controls include disabling AutoRun and AutoPlay for removable media and blocking execution of .lnk files from USB drives via Group Policy where possible. The report recommends restricting wscript.exe and cscript.exe, applying Attack Surface Reduction rules to surface obfuscated scripts and suspicious child-process activity, and reviewing scheduled task entries for unexpected jobs.

For hunting and triage the report highlights behavioral indicators such as script engines launching curl, cmd.exe or PowerShell, local SOCKS5 proxy activity on localhost:9050, and PowerShell screen-capture operations on machines used for wallet activity. Microsoft Defender detections include Trojan:Win32/CryptoBandits.A and related JavaScript indicators, with EDR coverage for suspicious JavaScript processes, curl-based exfiltration and Task Scheduler activity.

The company did not disclose victim counts, confirmed theft totals, geographic distribution or an attribution for the actor behind the malware. The report notes that hardware wallets protect signing keys but cannot guarantee the clipboard or on-screen address on a compromised machine is trustworthy. The report advises keeping recovery material off networked machines, using dedicated signing devices with minimal exposure to untrusted shortcuts and scripts, verifying full recipient addresses on a trusted display before confirming a send, rotating wallet secrets if an endpoint is suspected compromised, and isolating any device believed to be infected.