Microsoft unveils new crypto trojan threat: Can spread via Tor and hijack wallet addresses

Odaily Odaily reports that the Microsoft Threat Intelligence team has officially disclosed a Windows crypto trojan threat active since February 2026. This malware combines "worm-like propagation, clipboard hijacking, and Tor anonymous communication" to target digital asset users.

Microsoft analysis indicates that the malicious program spreads between removable storage devices via disguised shortcut (.lnk) files, using WScript and ActiveX to execute script logic. It automatically deploys a local Tor client, connecting to an .onion hidden service C2 server through a 127.0.0.1:9050 proxy for anonymous control and data exfiltration. The attack chain includes multiple malicious capabilities: continuous clipboard monitoring, theft of seed phrases and private keys, screenshot exfiltration, and "address replacement" when users copy cryptocurrency addresses, substituting the target with a wallet address controlled by the attacker to hijack funds.

Furthermore, the trojan possesses worm-like propagation capabilities, automatically copying itself to devices like USB drives and creating scheduled tasks for persistence. It also has basic anti-analysis capabilities (detecting task manager to evade debugging).

On the detection front, Microsoft has identified it as part of the Trojan:Win32/CryptoBandits family, intercepting it based on behavioral characteristics such as abnormal WScript calls, localhost:9050 proxy traffic, and PowerShell screenshot behavior. Security researchers recommend focusing on protecting script execution paths and monitoring local proxy anomaly traffic.