NewsNewsDetails
Microsoft warns new clipboard trojan has backdoor capabilities
Cryptonews
06-18 19:20
Ai Focus
Microsoft says a new encrypted clipboard trojan has backdoor capabilities that can replace wallet addresses and steal mnemonic phrases.
Helpful
No.Help

Microsoft's threat intelligence team stated that an encrypted clipboard trojan campaign targeting Windows users has been active since February 2026. Unlike common malware that only replaces transfer addresses, this wave of attacks also steals sensitive information such as mnemonic phrases and private keys, and attempts to remain on victim devices for an extended period.

Files can be spread via shortcuts.

Microsoft states that these attacks typically begin with malicious .lnk shortcut files. These files can be imported into the system via USB storage devices and launch worm components on Windows devices. Once running, the program uses legitimate files on the device to generate more malicious shortcuts, expanding its reach.

Researchers say the malware also creates scheduled tasks to continue running after the device restarts. This means attackers can monitor compromised devices for longer periods. Because it relies more on scripting tools than on large installation packages, traditional file-based detection methods are less effective at detecting it in a timely manner.

Hidden communication using Tor

Microsoft stated that this Trojan deploys a portable Tor client and forwards traffic through a local SOCKS5 proxy. Its communication uses localhost:9050 and the .onion control domain, thus reducing the visibility of regular DNS traffic and increasing the difficulty of interception.

During operation, the malware checks the clipboard approximately every 500 milliseconds, focusing on wallet addresses, mnemonic phrases, and private keys. Once a wallet address is identified, the program can replace it with an address controlled by the attacker; if a mnemonic phrase or private key is found, it may be sent back directly via the Tor channel.

It's no longer just address replacement.

Microsoft stated that the risk of this campaign lies in its functionality going beyond traditional clipboard hijacking. In addition to replacing addresses, the malware can also upload screenshots, connect to hidden command and control servers, and execute attacker-sent code via a command called EVAL.

This means it's no longer just a single-purpose data theft tool, but more like a lightweight backdoor. Once a device is infected, the attacker's privileges and the time they can remain on the device can increase, and the victim faces more than just the risk of a single transaction being tampered with.

Additional information:Microsoft has labeled this threat as Trojan:Win32/CryptoBandits.A. The report also mentions that similar malware has previously appeared, monitoring browser wallets and scanning screenshots for mnemonic phrases, indicating that attacks targeting encrypted users are continuously escalating.

Tip
$0
Like
0
Save
0
Views 920
CoinMeta reminds readers to view blockchain rationally, stay aware of risks, and beware of virtual token issuance and speculation. All content on this site represents market information or related viewpoints only and does not constitute any form of investment advice. If you find sensitive content, please click“Report”,and we will handle it promptly。
Submit
Comment 0
Hot
Latest
No comments yet. Be the first!
Related
Microsoft warns of new encrypted clipboard Trojan activity
Microsoft has disclosed a new encrypted clipboard trojan campaign that allows attackers to deliver malware via USB, replacing wallet addresses and mnemonic phrases.
U.Today
·2026-06-18 18:49:17
178
Microsoft reveals new encrypted Trojan capable of stealing mnemonic phrases
Microsoft has discovered a new cryptographic trojan, Crypto Clipper, which can steal mnemonic phrases, replace transfer addresses, and maintain remote control via Tor.
AMBCrypto
·2026-06-19 22:21:56
759
Allbirds, after transforming into an AI company, has changed its name to Smartbird, and a new CEO has begun assembling a team.
Allbirds has spun off its footwear business and renamed it Smartbird. The new CEO says he will build a team from scratch to focus on AI infrastructure services that emphasize data sovereignty.
TechCrunch
·2026-06-19 21:02:20
724
Microsoft discovers USB worm that steals encrypted wallets
Microsoft says a Windows malware that spreads via USB monitors the clipboard, steals sensitive information from encrypted wallets, and replaces transfer addresses.
CoinDesk
·2026-06-19 17:01:46
701
Microsoft shifts to model-based routing, increasing cost pressures on enterprise AI.
Microsoft is considering introducing open-source model alternatives into its enterprise AI tools and adjusting its billing methods. The article argues that model routing and cost control are becoming core requirements for enterprise AI.
Wallstreetcn
·2026-06-18 15:06:37
385
Latest from Author
Refresh
arrow
Oman launches national-level Bitcoin mining pool Omanhash
Oman launches national-level Bitcoin mining pool Omanhash
2h ago   256peopleViews
Foreign media: Ethereum core development funding may face pressure in the coming months.
Foreign media: Ethereum core development funding may face pressure in the coming months.
8h ago   251peopleViews
Morgan Stanley adjusts Ethereum and Solana ETF filings
Morgan Stanley adjusts Ethereum and Solana ETF filings
14h ago   215peopleViews
Recommended