Microsoft Identifies New Crypto Malware Targeting Wallet Addresses and Private Keys

TheNewsCryptoPublicado a 2026-06-19Actualizado a 2026-06-19

Resumen

In February 2026, Microsoft identified a new crypto clipper malware, dubbed Trojan/CryptoBandits.A, targeting Windows systems. The malware spreads via malicious shortcut files on USB drives and operates without a traditional installer or control servers by leveraging Windows Script Host and ActiveX to deploy a Tor proxy. Once active, it runs two modules: one for spreading and another for stealing information. The malware continuously monitors the clipboard for 12 or 24-word recovery phrases, Bitcoin/Ethereum private keys, and wallet addresses. When a user copies a wallet address, the malware silently swaps it with one controlled by attackers to divert funds. It also captures screenshots to gather information on wallet balances and user activity, sending data through Tor connections. Additional capabilities include remote code execution and persistence via scheduled tasks. Microsoft advises disabling auto-run features, restricting script interpreters and executable shortcuts from USB drives, and monitoring for suspicious activities like JavaScript execution, localhost:9050 proxy use, PowerShell screenshot capture, and clipboard monitoring.

In February 2026, Microsoft Threat Intelligence and Microsoft Defender Experts found a crypto clipper attack. This was a campaign that was constructed on Windows. The malware exploits cryptocurrency holders through clipboard hijacking and searches for sensitive wallet information. These were reported by Microsoft through their blog.

Attackers primarily spread this malware through malicious .lnk shortcut files distributed on USB drives.The activation of this malicious code leads to the release of two modules by the malware. One module spreads the malware across systems, while the other operates as a clipper and information stealer. Microsoft Defender Antivirus identifies the threat as Trojan/CryptoBandits.A.

Unlike most malware operations, this one does not require the use of an installer or any control servers since it uses the Windows Script Host and ActiveX technology to launch a packaged Tor proxy. It then uses a SOCKS5 proxy on the infected computer and then connects to the control servers, which run on Tor Hidden Service.

Malware Snatches Wallet Information and Swaps Addresses

Following the infection of the system, the malware constantly tracks any clipboard content and looks for recovery phrases, private keys, and wallet addresses. According to Microsoft, the malware targets precisely 12-word and 24-word recovery phrases, Bitcoin private keys, and Ethereum private keys. It swaps the copied wallet addresses with ones controlled by the attackers before users finish their transactions.

The malware takes screenshots and sends them via Tor connections, which allows the attackers to get more information on wallet balances and activities of users. Also, Microsoft stated that the malware has the ability of remote code execution, giving the attackers the possibility to send additional instructions while ensuring persistence through the use of scheduled tasks and encryption of malicious parts of the malware.

Researchers identified several indicators of compromise, including suspicious JavaScript execution, localhost:9050 proxy activity, PowerShell-based screenshot capture, and clipboard monitoring behavior. Microsoft recommended that organizations disable auto-run features. They would also limit script interpreters and executable shortcuts from USB drives, and monitor any suspicious activity related to this. This malware campaign underscores the continued growth of cryptocurrency usage among investors and users.

Highlighted Crypto News:

Ethereum Foundation Faces Another Departure as Hsiao-Wei Wang Steps Down

Preguntas relacionadas

QWhat type of cyber attack did Microsoft identify in February 2026, and what does this malware specifically target?

AMicrosoft identified a crypto clipper attack. The malware targets cryptocurrency holders by hijacking their clipboards to steal sensitive wallet information, including recovery phrases, private keys, and wallet addresses.

QHow does the described malware initially spread to systems, and what is its primary method of operation?

AThe malware initially spreads through malicious .lnk shortcut files distributed on USB drives. Its primary method of operation is clipboard hijacking, where it monitors and swaps copied cryptocurrency wallet addresses with ones controlled by the attackers.

QWhat is unique about the command-and-control (C2) infrastructure of this malware campaign according to the article?

AUnlike most malware, it does not require an installer or traditional control servers. Instead, it uses Windows Script Host and ActiveX to launch a packaged Tor proxy, establishes a SOCKS5 proxy on the infected computer, and connects to control servers running as Tor Hidden Services.

QBesides clipboard monitoring, what other malicious capabilities does this malware possess?

ABeyond clipboard monitoring, the malware can take screenshots and send them via Tor connections, execute remote code, and ensure persistence on the infected system through scheduled tasks and encryption of its malicious components.

QWhat specific indicators of compromise (IoCs) and defensive measures does Microsoft recommend in response to this threat?

AIndicators of compromise include suspicious JavaScript execution, localhost:9050 proxy activity, PowerShell-based screenshot capture, and clipboard monitoring behavior. Microsoft recommends disabling auto-run features, limiting script interpreters and executable shortcuts from USB drives, and monitoring for related suspicious activity.

Lecturas Relacionadas

Cardano Foundation Warns SPOs Against Passive Governance Abstention

The Cardano Foundation has warned Stake Pool Operators (SPOs) against defaulting to automated "auto-abstaining" in governance votes, stating this passive behavior creates an accountability gap that weakens the network's Voltaire governance era. The warning clarifies that manual abstention after reviewing proposals remains valid; the concern is specifically about SPOs automatically abstaining without engaging with proposal substance. For traders, this highlights how governance health impacts market confidence and risk sentiment, with such signals influencing broader capital flows and altcoin liquidity. The market should view this as one data point within a complex landscape of ETF flows, derivatives, and macro conditions, watching for whether it develops into a sustained theme or fades as a short-term scare.

bitcoinistHace 5 min(s)

Cardano Foundation Warns SPOs Against Passive Governance Abstention

bitcoinistHace 5 min(s)

BNB Chain Overtakes Solana In $5.2B Tokenized Stock Trading Push

BNB Chain has surpassed Solana in cumulative tokenized equity trading volume, reaching $5.2 billion compared to Solana's $4.5 billion. This activity is primarily driven by Ondo Finance on BNB Chain. The report highlights a crucial distinction: BNB Chain's figure represents "trading volume," while Solana's is "transfer volume," meaning direct comparisons should be cautious. For crypto traders, this shift signals where market activity and risk appetite are clustering within the growing real-world asset (RWA) narrative. It's presented as a market-structure signal rather than a definitive verdict, emphasizing that such data points can influence broader sentiment and liquidity flows, especially in thin markets. The key takeaway is to watch if this trend persists across other metrics to confirm a durable theme or if it remains a short-term positioning shift.

bitcoinistHace 6 min(s)

BNB Chain Overtakes Solana In $5.2B Tokenized Stock Trading Push

bitcoinistHace 6 min(s)

Analysts See XRP And BNB Chasing $100B Market Cap Status In Late 2026

Analysts speculate that XRP and BNB are primary candidates to reach or regain a $100 billion market capitalization in the second half of 2026, according to a Finbold report. This projection is based on analysis of historical charts and project fundamentals, not a guaranteed outcome. The discussion serves as a sentiment check, highlighting that while the target is ambitious, it is not unrealistic for these major assets. The report emphasizes that such narratives influence trader risk appetite and can spill over into related market segments, affecting altcoin sentiment, institutional positioning, and liquidity flows. However, it cautions that this is merely one signal within a complex market driven by ETF flows, macro conditions, and derivatives activity. Traders are advised to monitor follow-up data across on-chain metrics, open interest, and official filings to see if this theme gains durability or fades as a short-term narrative.

bitcoinistHace 50 min(s)

Analysts See XRP And BNB Chasing $100B Market Cap Status In Late 2026

bitcoinistHace 50 min(s)

Altcoin Market Cap Roundtrips Nearly 900 Days As Analyst Points To Major Support

Crypto analyst Michaël van de Poppe highlights a severe reset in the altcoin market, noting that total altcoin market capitalization has erased nearly 900 days of gains, returning to its late-2023 breakout level. This roundtrip explains the prevailing negative sentiment, as broad market progress has been nullified for almost three years. The constructive perspective is that this return to a major prior breakout zone creates a key support area. This level represents a decision point: if it holds, it could become an accumulation base for the next advance; if it fails, it would signal a bearish breakdown. The outcome depends on whether buyers step in with capital, especially given altcoins' sensitivity to liquidity and overall risk appetite. Traders should watch for a sustained recovery in the total altcoin market cap from this support, marked by improving volume and broad-based strength across various sectors—not just isolated pumps in meme coins. The current setup underscores the severity of the reset and provides a clear level to monitor for the market's next direction.

bitcoinistHace 50 min(s)

Altcoin Market Cap Roundtrips Nearly 900 Days As Analyst Points To Major Support

bitcoinistHace 50 min(s)

Chainlink gains 8,000 new holders – Can LINK break its downtrend?

Chainlink (LINK) added over 8,000 new holders in five days, pushing its non-empty wallet count to 892.8K, signaling continued user adoption despite ongoing price weakness. This growth is attributed to interest in real-world asset tokenization and institutional blockchain initiatives. On-chain data shows persistent exchange outflows, indicating accumulation rather than distribution, though this has not yet translated to a price breakout. LINK continues to trade within a descending channel, defending the $7.00 support level but struggling to challenge the upper resistance near $8.31. The RSI remains weak but not oversold. Despite the bearish trend, derivatives data shows a positive funding rate, reflecting sustained bullish conviction among leveraged traders. The summary suggests that if wallet growth and accumulation continue, LINK could eventually challenge the downtrend once stronger spot demand returns.

ambcryptoHace 55 min(s)

Chainlink gains 8,000 new holders – Can LINK break its downtrend?

ambcryptoHace 55 min(s)

Trading

Spot