Microsoft discloses new crypto Trojan threat: can spread via Tor and hijack wallet addresses

Microsoft's threat intelligence team officially disclosed a Windows crypto Trojan threat active since February 2026. This malware combines "worm-like propagation + clipboard hijacking + Tor anonymous communication" to target digital asset users.

Microsoft analysis indicates that the malicious program spreads through disguised shortcut (.lnk) files on removable storage devices and utilizes WScript and ActiveX to execute script logic. It automatically deploys a local Tor client, connecting to an .onion hidden service C2 server via the 127.0.0.1:9050 proxy to achieve anonymous control and data exfiltration. The attack chain includes multiple malicious capabilities: continuously monitoring clipboard contents, stealing seed phrases and private keys, uploading screenshots, and performing "address replacement" when users copy cryptocurrency addresses—replacing the target address with one controlled by the attacker to hijack funds.

Additionally, the Trojan possesses worm-like propagation capabilities, automatically replicating itself on devices like USB drives, and creates scheduled tasks for persistent operation. It also has basic anti-analysis capabilities (detecting Task Manager to evade debugging).

On the detection front, Microsoft has identified it as part of the Trojan:Win32/CryptoBandits family and intercepts it based on behavioral characteristics (such as abnormal WScript calls, localhost:9050 proxy traffic, and PowerShell screenshot behavior). Security researchers recommend focusing on protecting script execution paths and monitoring abnormal local proxy traffic.