Microsoft Identifies New Crypto Malware Targeting Wallet Addresses and Private Keys

TheNewsCryptoОпубліковано о 2026-06-19Востаннє оновлено о 2026-06-19

Анотація

In February 2026, Microsoft identified a new crypto clipper malware, dubbed Trojan/CryptoBandits.A, targeting Windows systems. The malware spreads via malicious shortcut files on USB drives and operates without a traditional installer or control servers by leveraging Windows Script Host and ActiveX to deploy a Tor proxy. Once active, it runs two modules: one for spreading and another for stealing information. The malware continuously monitors the clipboard for 12 or 24-word recovery phrases, Bitcoin/Ethereum private keys, and wallet addresses. When a user copies a wallet address, the malware silently swaps it with one controlled by attackers to divert funds. It also captures screenshots to gather information on wallet balances and user activity, sending data through Tor connections. Additional capabilities include remote code execution and persistence via scheduled tasks. Microsoft advises disabling auto-run features, restricting script interpreters and executable shortcuts from USB drives, and monitoring for suspicious activities like JavaScript execution, localhost:9050 proxy use, PowerShell screenshot capture, and clipboard monitoring.

In February 2026, Microsoft Threat Intelligence and Microsoft Defender Experts found a crypto clipper attack. This was a campaign that was constructed on Windows. The malware exploits cryptocurrency holders through clipboard hijacking and searches for sensitive wallet information. These were reported by Microsoft through their blog.

Attackers primarily spread this malware through malicious .lnk shortcut files distributed on USB drives.The activation of this malicious code leads to the release of two modules by the malware. One module spreads the malware across systems, while the other operates as a clipper and information stealer. Microsoft Defender Antivirus identifies the threat as Trojan/CryptoBandits.A.

Unlike most malware operations, this one does not require the use of an installer or any control servers since it uses the Windows Script Host and ActiveX technology to launch a packaged Tor proxy. It then uses a SOCKS5 proxy on the infected computer and then connects to the control servers, which run on Tor Hidden Service.

Malware Snatches Wallet Information and Swaps Addresses

Following the infection of the system, the malware constantly tracks any clipboard content and looks for recovery phrases, private keys, and wallet addresses. According to Microsoft, the malware targets precisely 12-word and 24-word recovery phrases, Bitcoin private keys, and Ethereum private keys. It swaps the copied wallet addresses with ones controlled by the attackers before users finish their transactions.

The malware takes screenshots and sends them via Tor connections, which allows the attackers to get more information on wallet balances and activities of users. Also, Microsoft stated that the malware has the ability of remote code execution, giving the attackers the possibility to send additional instructions while ensuring persistence through the use of scheduled tasks and encryption of malicious parts of the malware.

Researchers identified several indicators of compromise, including suspicious JavaScript execution, localhost:9050 proxy activity, PowerShell-based screenshot capture, and clipboard monitoring behavior. Microsoft recommended that organizations disable auto-run features. They would also limit script interpreters and executable shortcuts from USB drives, and monitor any suspicious activity related to this. This malware campaign underscores the continued growth of cryptocurrency usage among investors and users.

Highlighted Crypto News:

Ethereum Foundation Faces Another Departure as Hsiao-Wei Wang Steps Down

Пов'язані питання

QWhat type of cyber attack did Microsoft identify in February 2026, and what does this malware specifically target?

AMicrosoft identified a crypto clipper attack. The malware targets cryptocurrency holders by hijacking their clipboards to steal sensitive wallet information, including recovery phrases, private keys, and wallet addresses.

QHow does the described malware initially spread to systems, and what is its primary method of operation?

AThe malware initially spreads through malicious .lnk shortcut files distributed on USB drives. Its primary method of operation is clipboard hijacking, where it monitors and swaps copied cryptocurrency wallet addresses with ones controlled by the attackers.

QWhat is unique about the command-and-control (C2) infrastructure of this malware campaign according to the article?

AUnlike most malware, it does not require an installer or traditional control servers. Instead, it uses Windows Script Host and ActiveX to launch a packaged Tor proxy, establishes a SOCKS5 proxy on the infected computer, and connects to control servers running as Tor Hidden Services.

QBesides clipboard monitoring, what other malicious capabilities does this malware possess?

ABeyond clipboard monitoring, the malware can take screenshots and send them via Tor connections, execute remote code, and ensure persistence on the infected system through scheduled tasks and encryption of its malicious components.

QWhat specific indicators of compromise (IoCs) and defensive measures does Microsoft recommend in response to this threat?

AIndicators of compromise include suspicious JavaScript execution, localhost:9050 proxy activity, PowerShell-based screenshot capture, and clipboard monitoring behavior. Microsoft recommends disabling auto-run features, limiting script interpreters and executable shortcuts from USB drives, and monitoring for related suspicious activity.

Пов'язані матеріали

Strategy’s STRC Drop Shows The Risk Behind Bitcoin-Linked Credit Products

Strategy Inc.'s (formerly MicroStrategy) preferred stock, STRC, traded sharply below its $100 reference value during recent market stress, hitting an intraday low of $82.53. The company's CEO framed the drop as a "leverage flush"—forced selling by investors using borrowed money—rather than a fundamental default event. This distinction highlights that the selloff resulted from market mechanics and liquidity pressures, not missed payments by the issuer. The episode underscores the specific risks embedded in Bitcoin-linked credit products, which can behave differently from holding Bitcoin or common stock. As Bitcoin treasury strategies become more complex and financialized, instruments like preferred shares introduce additional layers of risk, including leverage, liquidity constraints, and sensitivity to Bitcoin's volatility. The STRC movement serves as a warning about the fragility of these structures in stressed markets, even when the underlying company remains solvent.

bitcoinist2 год тому

Strategy’s STRC Drop Shows The Risk Behind Bitcoin-Linked Credit Products

bitcoinist2 год тому

Australia’s High Court Hands ASIC Major Win In Block Earner Crypto Yield Case

Australia's High Court unanimously ruled in favor of the securities regulator ASIC in a case against crypto platform Block Earner. The court determined that Block Earner's historical 'Earner' fixed-yield product was a financial product and a derivative, requiring an Australian Financial Services Licence. This landmark decision establishes that crypto yield products promising structured returns can fall under existing financial services law, regardless of their digital asset nature. While the specific product is no longer offered, the ruling sets a significant precedent for how similar crypto investment and derivative-like offerings will be regulated in Australia. The case now returns to a lower court to determine penalties against Block Earner.

bitcoinist5 год тому

Australia’s High Court Hands ASIC Major Win In Block Earner Crypto Yield Case

bitcoinist5 год тому

Blockchain.com Expands Tokenized Stock Access Through Ondo Finance

Blockchain.com has expanded its partnership with Ondo Finance to integrate tokenized U.S. stocks and ETFs into its wallet ecosystem. This move allows eligible, primarily non-U.S., users to access traditional financial assets through a familiar crypto-native interface, blending real-world asset exposure with existing crypto holdings like stablecoins and DeFi tools. Ondo Finance, a key player in tokenizing assets like Treasuries and equities, gains a significant distribution channel through Blockchain.com's large user base. The partnership highlights the industry trend of making tokenized assets as accessible as ordinary crypto tokens, targeting global audiences who may face barriers using traditional brokerage services. While the tokenized real-world asset (RWA) market grows increasingly competitive, questions remain around custody, regulation, and market structure. Blockchain.com and Ondo are betting that seamless wallet integration can address these challenges and drive broader adoption.

bitcoinist7 год тому

Blockchain.com Expands Tokenized Stock Access Through Ondo Finance

bitcoinist7 год тому

CPU Makes a Comeback to the Table, A $170 Billion "Power Seizure" Drama Begins

A new era is dawning for the server CPU (Central Processing Unit), driven by the shift from AI model training to large-scale reasoning and the rise of Agentic AI. This article explores how the CPU is reclaiming a central role in the AI data center. For years, the focus has been on the GPU (Graphics Processing Unit) for AI training. However, as AI moves to the inference and Agent phase—where tasks involve complex, multi-step reasoning, tool calls, and data management—the workload balance is flipping. Studies show CPUs now handle over 70% of the workload in Agentic AI, up from 10-30% in training. This is because Agent tasks generate massive intermediate data (KV Cache) that exceeds GPU memory, forcing it to be offloaded to the CPU's larger, more scalable memory pools. This increased importance is translating into market changes. Major players are taking note: NVIDIA launched its first standalone CPU line, Vera, based on ARM architecture and optimized for Agent performance. AMD doubled its server CPU market forecast to over $1200 billion by 2030. Analyst reports project the total server CPU market could reach $1700 billion by 2030, with AI-driven demand being a primary driver. Furthermore, the classic ratio of CPUs to GPUs in AI servers is rapidly changing, converging from 1:8 toward 1:1 for Agent deployments. This surge in demand has led to a rare industry-wide price increase of 10-15% for server CPUs from Intel and AMD, breaking a decade-long trend of "more performance for the same price." Demand is bifurcating into high-core-count CPUs for in-rack GPU support and moderate-core CPUs for standalone Agent task orchestration. In China, this global trend presents an opportunity for domestic CPU manufacturers like Hygon (海光信息) and Huawei Kunpeng, who are bolstered by both growing AI infrastructure needs and national policies promoting technological self-reliance ("xin chuang"). The maturity of their software ecosystems is also accelerating, evidenced by faster adaptation to new AI models. In conclusion, the narrative is shifting from a GPU-centric view to one where CPU-GPU synergy is critical. The CPU is no longer a peripheral component but a performance-defining bottleneck and a key growth driver in the AI hardware stack, opening a massive new market estimated in the hundreds of billions of dollars.

marsbit7 год тому

CPU Makes a Comeback to the Table, A $170 Billion "Power Seizure" Drama Begins

marsbit7 год тому

TechFlow Intelligence: AMD AI Director Publicly Criticizes Claude Code for "Becoming Dumber and Lazier", Trump Claims Full Ceasefire in Hormuz But Strait Still Has 80 Unexploded Mines

TechFlow Intelligence Report: This daily digest covers key developments in AI, crypto, hardware, and geopolitics. In AI, SK Telecom faces US export control scrutiny over its partnership with Anthropic, while a Gemini user reports being misled in a scam scenario, sparking safety debates. China's Z.AI launches the GLM-5.2 model, rivaling Claude Opus without NVIDIA chips. In crypto, Bithumb lists ReProtocol, and Upbit delists KernelDAO. On the hardware front, MIT researchers build a custom OS to study chips, ASML denies US claims its advanced lithography machines are in China, and Amazon considers selling its in-house AI chips. Apple's future A21 Pro chip may use TSMC's latest N2P process. Major tech issues include 10,000 GitHub repositories distributing malware and Apple patching a critical eavesdropping flaw in Beats earbuds. US stocks rise, led by semiconductors, with Intel surging 10.6%, while SpaceX falls 3.5%. Geopolitically, despite a US-Iran deal, the Strait of Hormuz remains risky with ~80 uncleared mines, stalling 80M barrels of oil on standby tankers. Iran postpones Switzerland talks, and Trump calls the agreement an "unconditional surrender." The report highlights a contrast: temporary geopolitical calm versus the ongoing, fundamental restructuring of tech supply chains and chip independence.

marsbit7 год тому

TechFlow Intelligence: AMD AI Director Publicly Criticizes Claude Code for "Becoming Dumber and Lazier", Trump Claims Full Ceasefire in Hormuz But Strait Still Has 80 Unexploded Mines

marsbit7 год тому

Торгівля

Спот

Ф'ючерси