Overview
- Microsoft publicly disclosed the campaign on June 17–18, 2026 after tracking the activity since February 2026 and labeled detections as Trojan:Win32/CryptoBandits.
- The attack begins with malicious .lnk shortcut files on USB drives that launch a worm component which hides originals and creates infected shortcuts to spread to other removable media.
- A bundled portable Tor client sets up a local SOCKS5 proxy at localhost:9050 and routes traffic to .onion C2 servers to hide command traffic and complicate network blocking.
- The clipper monitors the clipboard about every 500 milliseconds to capture seed phrases, private keys and wallet addresses, replaces copied addresses with attacker addresses, and exfiltrates screenshots over Tor.
- Beyond theft the C2 can send an EVAL response that executes attacker-supplied code at runtime, and Microsoft urges defenders to use behavioral hunting, disable AutoRun, block LNK execution from removable drives, and monitor for script engines launching unexpected processes and localhost:9050 activity.