Microsoft security researchers say a crypto theft campaign called "CryptoBandits" is spreading. Unlike common clipboard trojans, this type of program uses Windows' built-in scripting tools to hide its behavior, targeting encrypted wallet addresses and mnemonic phrases.

Devices can be accessed via USB.

These types of malware typically enter a victim's computer via a USB device. Once inside, it searches for common document files such as .doc, .pdf, and .xlsx, hides the original files, and then generates a malicious shortcut file with the same name.

If a user double-clicks these files as usual, they are actually triggering malware. This makes the infection process more covert and easier to bypass the user's vigilance.

Check the clipboard every half second.

Microsoft states that the Trojan installs a portable Tor client in the background, redirecting network traffic to a hidden proxy. It then checks the clipboard approximately every half second.

Once the program detects that a user has copied an encrypted wallet address or mnemonic phrase, it will replace the content with an address controlled by the attacker, causing the transferred funds to flow to the wrong target.

• The monitored objects include wallet addresses and mnemonic phrases.
• Clipboard checks approximately once every half second.
• Network traffic is forwarded through a hidden proxy.

Microsoft provides protection recommendations

Microsoft warns users to be cautious about connecting USB drives from unknown sources and not to rely solely on copy-paste to complete transfers. When transferring encrypted assets, users should double-check the receiving address.

In addition, security tools need to be kept up-to-date. Microsoft specifically mentioned that Microsoft Defender should be kept up-to-date to improve its ability to detect such attacks.