MICROSOFT Threat Intelligence has identified a new cryptocurrency-stealing malware affecting Windows users, named Win32/CryptoBandits.A, which has been active since February 2026. This malware targets cryptocurrency holders by stealing financial assets through malicious shortcuts on infected USB drives. The malware employs a clipboard theft mechanism to substitute wallet addresses and captures sensitive data, such as 12- or 24-word recovery seed phrases.
The infection process begins once a user interacts with the malicious shortcut, propagating further through the USB devices. Additionally, it operates a Tor client to mask its network activity and exfiltrates stolen data without relying on external command-and-control servers. Organizations are advised to enhance security measures, including disabling AutoRun features and monitoring for suspicious script activity.