Why is Microsoft warning about this cryptocurrency malware?

Microsoft warned that the malware can steal cryptocurrency wallet information, including Bitcoin (CRYPTO) and Ethereum (CRYPTO) private keys and recovery phrases. The company said the threat also enables attackers to execute code remotely on infected devices.

What does the CryptoBandits malware target?

CryptoBandits targets cryptocurrency wallet credentials, BIP39 seed phrases, private keys, clipboard contents, and screenshots. Microsoft said it specifically searches for data linked to Bitcoin (CRYPTO), Ethereum (CRYPTO), Tron (CRYPTO), and Monero (CRYPTO).

How does the malware spread through USB drives?

The malware hides legitimate files and replaces them with malicious shortcut files that appear genuine to users. Microsoft said the worm component can then automatically copy itself to connected USB storage devices and spread to additional systems.

What does the malware's use of the Tor network mean?

The malware secretly installs a disguised version of Tor called "ugate.exe" and uses it to communicate with attackers through hidden services. Microsoft said this helps conceal the operators' infrastructure and makes the activity harder to detect.

How can Windows users protect themselves from this malware?

Microsoft recommends disabling autoplay for removable media, blocking shortcut file execution from USB drives, and monitoring systems for unusual proxy activity or script execution. Microsoft Defender Antivirus detects the threat as Trojan/CryptoBandits.A.

Image for illustrative purposes only. Not a real photo.

Microsoft warns of USB-spread crypto malware

Written by Brie CarterPublished Jun 19, 2026, 6:45 AM

Microsoft warned Windows users about a cryptocurrency-focused malware strain that spreads through USB drives and targets wallet credentials.
The malware steals seed phrases, private keys, clipboard data, and screenshots while also enabling remote code execution on infected devices.
Researchers said the threat uses the Tor network to hide communications and can provide attackers with long-term access to compromised systems.

Microsoft warned Windows users about a cryptocurrency clipper malware campaign that spreads through USB drives and is designed to steal wallet credentials, private keys, seed phrases, and other sensitive financial data.

The malware, which Microsoft said has been active since February, disguises malicious files as legitimate shortcuts while automatically spreading to connected USB storage devices.

“This malware family shows how lightweight, script-based stealers can deliver outsized impact when paired with anonymised communications and runtime tasking,” said Microsoft Threat Intelligence.

Researchers said the malware captures clipboard contents, replaces copied cryptocurrency wallet addresses with attacker-controlled addresses, takes screenshots every 10 seconds, and targets Bitcoin (CRYPTO:BTC), Ethereum (CRYPTO:ETH), Tron (CRYPTO:TRX), and Monero (CRYPTO:XMR) users.

Microsoft said the malware also functions as a lightweight backdoor by allowing attackers to remotely execute code on infected systems, and following the disclosure no specific financial losses were reported.

The threat installs a disguised version of the Tor browser under the filename "ugate.exe" and uses the Tor network to communicate with operators through hidden services, making detection and tracking more difficult.

Microsoft Defender Antivirus identifies the malware as Trojan:Win32/CryptoBandits.A, and the company recommended disabling USB autoplay, restricting shortcut file execution from removable media, and monitoring systems for unusual proxy activity and script execution.

At the time of reporting, Bitcoin price was $62,747.98.

Microsoft warns of USB-spread crypto malware

Frequently asked questions

Assets related to this article