CryptoBandits: Tor-Routed Crypto Clipper with USB Worm Propagation
Source report →Microsoft Defender researchers documented the CryptoBandits campaign in June 2026, a Windows targeting cryptocurrency theft operation active since at least February 2026 that combines worm-like propagation through USB removable media with a clipboard hijacker capable of silently redirecting transactions across six cryptocurrency address formats: Bitcoin legacy, P2SH, Taproot, Bech32, Tron, and Monero. The threat carries no geographic or sector filter and spreads opportunistically to any Windows host where an infected USB device is inserted, placing all organizations with employees who use removable storage at risk. Two design choices make this campaign distinctive: a bundled, renamed Tor client that provides fully autonomous .onion C2 routing without relying on victim-installed Tor software, and a multi-layered obfuscation stack using PyArmor protected Python scripts packaged via PyInstaller that significantly raises the bar for static analysis.
Initial access is physical: the worm scans USB storage for document files (.doc, .xlsx, .pdf), hides the originals by setting the system hidden attribute, and replaces them with double extension LNK shortcuts masquerading as the same documents. When the victim opens what appears to be a legitimate file, WScript or CScript executes the embedded JavaScript payload, which decrypts and drops a second-stage component into a staging subdirectory under the shared public documents folder, using five character naming for both the folder and the script file. Persistence is established via two indefinite scheduled tasks: one drives continued USB propagation to any newly mounted removable media, and the other ensures the clipboard stealing component re-executes on each trigger interval, surviving reboots and manual process kills. An anti analysis guard queries running processes and exits execution immediately if Task Manager is detected.
The core financial impact is delivered through two theft mechanisms operating in parallel. The clipboard hijacker polls at roughly 500-millisecond intervals, detects cryptocurrency address formats by pattern matching, and silently substitutes the copied address with an attacker controlled equivalent while preserving the visual format to prevent victim suspicion during transactions. When a mnemonic seed phrase is detected in the clipboard, the malware saves a local backup copy and exfiltrates it to the C2 domain immediately. Corroborating context is captured via a PowerShell screen capture routine that takes five screenshots at 10-second intervals, supporting manual validation of any stolen credentials. All exfiltration travels via curl through a local SOCKS5 proxy to .onion C2 domains, with the bundled Tor binary (renamed ugate.exe) handling onion routing entirely independently of external Tor infrastructure, making the C2 channel resistant to both DNS-based and IP-reputation blocking.
IOCs (26)
Scan your environment for IOCs →DOMAIN 10
cgky6bn6ux5wvlybtmm3z255igt52ljml2ngnc5qp3cnw5jlglamisad.oniongfoqsewps57xcyxoedle2gd53o6jne6y5nq5eh25muksqwzutzq7b3ad.onionhe5vnov645txpcv57el2theky2elesn24ebvgwfoewlpftksxp4fnxad.onionlyhizqy2js2eh6ufngkbzntouiikdek5zsdj3qwa22b4z6knpqorgiad.onionj3bv7g27oramhbxxuv6gl3dcyfmf44qnvju3offdyrap7hurfprq74qd.onionshinypogk4jjniry5qi7247tznop6mxdrdte2k6pdu5cyo43vdzmrwid.onion7goms4byw26kkbaanz5a5u5234gusot7rp5imzc3ozh66wwcvmcudjid.onionfacebookwkhpilnemxj7asaniu7vnjjbiltxjqhye3mhbshg7kx5tfyd.onionwt26llpl5k6gok3vnaxmucwgzv2wk3l7nuibbh25clghrtus3p5ctsid.onionijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd.onionSHA256 FILE HASH 16
7630debd35cac6b7d58c4427695579b3e3a8b1cc462f523234cd6c698882a68ca7abf1d9d6686af1cefcd60b17a312e7eb8cfe267def1ec34aeab6128c81163023c1e673f315dafa14b73034a90dd3d393a984451ff6601b8be8142be6487b43cf9fc891ea5ca5ecd8113ef3e69f6f52ff538b6cccbdaa9559106fc72bc6da30100407796028bf3649752d9d2a67a0e4394d752eb8de86daa42920e814f3fae8d14b80cbd1a19d4ad0473a0661297f8fdf598e81ff6c4ab24e212dcad2e54b3f9d90f54ae36c6c5435d5b8bed40faf54cc91f6db28574a6310b5ffaeb0362e9667fc5cf395e28294bbb91ed0e954fdf2e80ebd9119022a115a42c286dc8bacf50020d23b0f9c5e6851a7f737af73fd143175ee47054931166369edd93338538a35a6bc44b176a050fd6824904b7604f0f45b0fdfa26bf9500b9e05973b387cfdc824630154ac4fdfce94ded01f037c305eab51e9bef3f493c60ff3184a640502d43bf94f0cb0ab97c88113b7e07d1a4024d1610617b5ad05882b1dbab89e15bab2777b73a4c33ac6a409d475057843be6b5d32262ef28a1f1ff5bb52e3834c5f7787a9a7d8ae393aa32f257d083903c4dc9b97a1e5b0458c4cd480d4f3cb5b05f3b54984caca95fd496bcfe5d7db1611b08d2f5b7d250b43b430e5d76393f9e020db98af3037b197c8a846dbf17b87fc6f049c3e0d9a188f9b9a74d3916dd5e1Detections (8)
Enable detections →Connect your environment for suggestions and queries personalized to your security telemetry.
- Scheduled Task Created for JavaScript Payload via XML in Public Documents
- Tor Client Activity
- Suspicious Double-Extension LNK File Written
- CryptoBandits C2 Endpoint URL Pattern in curl Command Line
- Clipboard BIP39 Seed Phrase or Private Key Read by Non-Wallet Process
- Document Files on Removable Media Hidden via System or Hidden Attribute by Non-Installer Process
- Renamed Tor Binary Making Outbound Connections to Tor Directory Authority Nodes