Microsoft unveils new crypto malware threat: can spread via Tor and hijack wallet addresses

Odaily Odaily reports that the Microsoft Threat Intelligence team has officially disclosed a Windows crypto malware threat active since February 2026. This malicious software combines "worm-like propagation, clipboard hijacking, and Tor anonymous communication" to target digital asset users.

Microsoft's analysis indicates that the malware spreads via disguised shortcut (.lnk) files across removable storage devices. It utilizes WScript and ActiveX to execute script logic, automatically deploys a local Tor client, and connects to .onion hidden service C2 servers via the 127.0.0.1:9050 proxy, enabling anonymous control and data exfiltration. The attack chain includes multiple malicious capabilities: continuous clipboard monitoring, theft of seed phrases and private keys, screenshot uploads, and "address replacement" when users copy cryptocurrency addresses, swapping the target address with one controlled by the attacker to hijack funds.

Furthermore, the trojan possesses worm-like propagation capabilities, allowing it to self-replicate onto devices like USB drives and create scheduled tasks for persistent operation. It also includes basic anti-analysis features, such as detecting the Task Manager to evade debugging.

On the detection front, Microsoft has identified it as part of the Trojan:Win32/CryptoBandits family and intercepts it through behavioral characteristics like abnormal WScript calls, localhost:9050 proxy traffic, and PowerShell screenshot behavior. Security researchers recommend focusing on protecting script execution paths and monitoring for anomalous local proxy traffic.