MICROSOFT has issued a warning about a new malware called CryptoBandits, which targets Windows systems to steal cryptocurrency. The malware operates by using a lightweight backdoor, facilitating remote code execution, and data exfiltration. It has been active since February 2026, propagating via malicious shortcut files (.lnk) and deploying a Tor client for anonymous communication.
Once installed, it steals clipboard data, takes screenshots, and modifies cryptocurrency wallet addresses to redirect funds to attackers. The malware employs sophisticated techniques like task scheduling for persistence and extensive obfuscation to evade detection. Microsoft recommends organizations enhance their defenses against such script-based threats.