Microsoft's Threat Intelligence team has flagged a new Windows malware campaign it tracks as Trojan:Win32/CryptoBandits.A. The clipper-type malware monitors the clipboard for copied cryptocurrency wallet addresses and silently replaces them with addresses controlled by the attacker — a classic but effective way to redirect funds. It can also spread through removable drives, hiding real documents behind malicious shortcut files.
How CryptoBandits steals funds
The malware sits in the background waiting for a clipboard event. When a user copies what looks like a wallet address, CryptoBandits swaps it for the attacker's address before the user can paste. The swap happens so fast most people won't notice unless they double-check the full string. Microsoft's report also says the malware can search for sensitive crypto material, including private keys and seed phrases stored on the machine.
To make takedowns harder, the campaign routes command-and-control traffic through Tor. That means the attackers can keep updating the malware's behavior without exposing their infrastructure as easily.
Which systems are at risk
Only Windows machines are affected. The report explicitly says macOS and Linux are not in scope for this particular strain. The USB-based infection vector is notable: CryptoBandits hides real document files and replaces them with shortcut files that execute code when opened. Plugging an infected drive into a Windows PC could trigger the malware without the user running any obvious executable.
Microsoft's safety checklist
The company put out a short set of recommendations. Always check the full wallet address before hitting send — don't rely on just the first and last few characters. Use a hardware wallet for cold storage. Avoid plugging in unknown USB drives. And keep Windows security tools up to date, since Microsoft Defender can catch the threat when signatures are current.
The timing is a reminder that even as crypto adoption grows, basic clipboard-based theft hasn't gone away. Anyone handling transactions on a Windows machine should treat copied addresses as untrusted until verified.
