Microsoft Unmasks CryptoBandits: A Stealthy Windows Backdoor

The campaign utilizes malicious .lnk shortcut files, often distributed via USB drives, to initiate its infection chain. Once executed, the malware creates additional infected shortcuts from legitimate files already present on the machine, effectively self-replicating across the host system. To ensure persistence, the software establishes scheduled tasks that allow it to survive system reboots, evading standard detection by relying on script-based tools instead of traditional, bulky installers.

Operating with high precision, the malware monitors the clipboard every 500 milliseconds for signs of sensitive data, including private keys, seed phrases, and cryptocurrency wallet addresses. When a target address is identified, the software automatically replaces it with an attacker-controlled destination. Data exfiltration and communication with command-and-control servers are conducted through a portable Tor client routed via a local SOCKS5 proxy, which masks activity from standard DNS monitoring.

What elevates CryptoBandits beyond a typical clipper is its secondary backdoor capability. The malware is equipped to capture screenshots and execute remote code via an EVAL command, granting attackers direct control over the compromised system. Microsoft advises security teams to move away from investigating isolated alerts and instead focus on hunting for correlated behaviors, such as script engines triggering PowerShell or cmd.exe in conjunction with unexpected traffic directed at localhost:9050.