A new wave of malware is targeting cryptocurrency users, and Microsoft says the threat is growing. The malware, known as a Crypto Clipper, has been active since February and is spreading through infected USB drives.
Unlike many traditional crypto stealers, this malware does more than steal information. It can also function as a backdoor, giving attackers long-term access to compromised computers. That means hackers can execute additional code whenever they choose, opening the door to ransomware attacks and other threats.
Microsoft Threat Intelligence says the malware steals clipboard data, captures screenshots, and replaces cryptocurrency wallet addresses with attacker-controlled alternatives. Victims may never realize their funds are being redirected until it is too late.
Also Read: Microsoft AI Warns Massive 18-Month Job Automation Shock
Crypto Clipper Uses Tor to Hide Its Tracks
The Crypto Clipper relies on several stealth techniques to avoid detection. It hides legitimate files and replaces them with lookalike shortcuts. When users click those shortcuts, the malware silently executes and spreads to other USB storage devices.
The malware also installs an obfuscated copy of the Tor network software. Disguised as a harmless file named “ugate.exe,” it communicates with attackers through hidden onion services. This allows cybercriminals to conceal their infrastructure and make tracking difficult.
Microsoft researchers noted that the malware does not require a traditional installer or exposed IP addresses. Instead, it uses lightweight scripts and anonymized communications to remain hidden while carrying out attacks.
Crypto Clipper Targets Private Keys and Seed Phrases
The primary goal of the Crypto Clipper is financial theft. It searches the clipboard contents for valuable crypto-related information, including Bitcoin and Ethereum private keys and BIP39 seed phrases.
The malware can also replace copied wallet addresses across Bitcoin, Tron, and Monero transactions. To gather additional intelligence, it captures screenshots every ten seconds.
Microsoft Defender Antivirus detects the threat as Trojan:Win32/CryptoBandits.A. Users are urged to disable autoplay on removable media, block .lnk file execution from USB devices, and monitor systems for unusual proxy activity. The warning comes as 2026 continues to see a sharp rise in Windows-based crypto-stealing malware.
Also Read: INTC Jumps 15% as Microsoft Picks Intel for Next-Gen AI Chips
