← All briefs
critical July 1, 2026

CryptoBandits: Tor-Routed Crypto Clipper with USB Worm Propagation

Source report →

Microsoft Defender researchers documented the CryptoBandits campaign in June 2026, a Windows targeting cryptocurrency theft operation active since at least February 2026 that combines worm-like propagation through USB removable media with a clipboard hijacker capable of silently redirecting transactions across six cryptocurrency address formats: Bitcoin legacy, P2SH, Taproot, Bech32, Tron, and Monero. The threat carries no geographic or sector filter and spreads opportunistically to any Windows host where an infected USB device is inserted, placing all organizations with employees who use removable storage at risk. Two design choices make this campaign distinctive: a bundled, renamed Tor client that provides fully autonomous .onion C2 routing without relying on victim-installed Tor software, and a multi-layered obfuscation stack using PyArmor protected Python scripts packaged via PyInstaller that significantly raises the bar for static analysis.

Initial access is physical: the worm scans USB storage for document files (.doc, .xlsx, .pdf), hides the originals by setting the system hidden attribute, and replaces them with double extension LNK shortcuts masquerading as the same documents. When the victim opens what appears to be a legitimate file, WScript or CScript executes the embedded JavaScript payload, which decrypts and drops a second-stage component into a staging subdirectory under the shared public documents folder, using five character naming for both the folder and the script file. Persistence is established via two indefinite scheduled tasks: one drives continued USB propagation to any newly mounted removable media, and the other ensures the clipboard stealing component re-executes on each trigger interval, surviving reboots and manual process kills. An anti analysis guard queries running processes and exits execution immediately if Task Manager is detected.

The core financial impact is delivered through two theft mechanisms operating in parallel. The clipboard hijacker polls at roughly 500-millisecond intervals, detects cryptocurrency address formats by pattern matching, and silently substitutes the copied address with an attacker controlled equivalent while preserving the visual format to prevent victim suspicion during transactions. When a mnemonic seed phrase is detected in the clipboard, the malware saves a local backup copy and exfiltrates it to the C2 domain immediately. Corroborating context is captured via a PowerShell screen capture routine that takes five screenshots at 10-second intervals, supporting manual validation of any stolen credentials. All exfiltration travels via curl through a local SOCKS5 proxy to .onion C2 domains, with the bundled Tor binary (renamed ugate.exe) handling onion routing entirely independently of external Tor infrastructure, making the C2 channel resistant to both DNS-based and IP-reputation blocking.

DOMAIN 10
cgky6bn6ux5wvlybtmm3z255igt52ljml2ngnc5qp3cnw5jlglamisad.onion
gfoqsewps57xcyxoedle2gd53o6jne6y5nq5eh25muksqwzutzq7b3ad.onion
he5vnov645txpcv57el2theky2elesn24ebvgwfoewlpftksxp4fnxad.onion
lyhizqy2js2eh6ufngkbzntouiikdek5zsdj3qwa22b4z6knpqorgiad.onion
j3bv7g27oramhbxxuv6gl3dcyfmf44qnvju3offdyrap7hurfprq74qd.onion
shinypogk4jjniry5qi7247tznop6mxdrdte2k6pdu5cyo43vdzmrwid.onion
7goms4byw26kkbaanz5a5u5234gusot7rp5imzc3ozh66wwcvmcudjid.onion
facebookwkhpilnemxj7asaniu7vnjjbiltxjqhye3mhbshg7kx5tfyd.onion
wt26llpl5k6gok3vnaxmucwgzv2wk3l7nuibbh25clghrtus3p5ctsid.onion
ijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd.onion
SHA256 FILE HASH 16
7630debd35cac6b7d58c4427695579b3e3a8b1cc462f523234cd6c698882a68c
a7abf1d9d6686af1cefcd60b17a312e7eb8cfe267def1ec34aeab6128c811630
23c1e673f315dafa14b73034a90dd3d393a984451ff6601b8be8142be6487b43
cf9fc891ea5ca5ecd8113ef3e69f6f52ff538b6cccbdaa9559106fc72bc6da30
100407796028bf3649752d9d2a67a0e4394d752eb8de86daa42920e814f3fae8
d14b80cbd1a19d4ad0473a0661297f8fdf598e81ff6c4ab24e212dcad2e54b3f
9d90f54ae36c6c5435d5b8bed40faf54cc91f6db28574a6310b5ffaeb0362e96
67fc5cf395e28294bbb91ed0e954fdf2e80ebd9119022a115a42c286dc8bacf5
0020d23b0f9c5e6851a7f737af73fd143175ee47054931166369edd93338538a
35a6bc44b176a050fd6824904b7604f0f45b0fdfa26bf9500b9e05973b387cfd
c824630154ac4fdfce94ded01f037c305eab51e9bef3f493c60ff3184a640502
d43bf94f0cb0ab97c88113b7e07d1a4024d1610617b5ad05882b1dbab89e15ba
b2777b73a4c33ac6a409d475057843be6b5d32262ef28a1f1ff5bb52e3834c5f
7787a9a7d8ae393aa32f257d083903c4dc9b97a1e5b0458c4cd480d4f3cb5b05
f3b54984caca95fd496bcfe5d7db1611b08d2f5b7d250b43b430e5d76393f9e0
20db98af3037b197c8a846dbf17b87fc6f049c3e0d9a188f9b9a74d3916dd5e1

Detections (8)

Enable detections →

Connect your environment for suggestions and queries personalized to your security telemetry.

  • Scheduled Task Created for JavaScript Payload via XML in Public Documents
  • Tor Client Activity
  • Suspicious Double-Extension LNK File Written
  • CryptoBandits C2 Endpoint URL Pattern in curl Command Line
  • Clipboard BIP39 Seed Phrase or Private Key Read by Non-Wallet Process
  • Document Files on Removable Media Hidden via System or Hidden Attribute by Non-Installer Process
  • Renamed Tor Binary Making Outbound Connections to Tor Directory Authority Nodes