Microsoft disclosed on June 17, 2026 a campaign active since February. The twist: an EVAL command turns the financial stealer into a remote access platform. The family, detected as Trojan:Win32/CryptoBandits.A, combines physical USB propagation, Tor anonymization, and remote execution capabilities in a script-based payload with no traditional installer.
- Campaign tracked from February 2026, disclosed by Microsoft Defender Experts in June
- Worm-like propagation via LNK files on USB: hides DOC/XLSX/PDF documents and replaces them with infected shortcuts
- Portable Tor client renamed "ugate.exe" with SOCKS5 proxy on localhost:9050 (127.0.0.1)
- EVAL command from C2 executes arbitrary JScript at runtime, turning the stealer into a lightweight backdoor
- Crypto address replacement with type-specific logic for six different blockchains
Physical Infection: From USB to System
The access vector exploits malicious shortcut (.LNK) files on removable USB devices. Once the payload executes, the malware scans the drive for DOC, XLSX, and PDF documents, hides the original files, and creates new shortcuts with identical names pointing to the worm component.
Two components coexist: the worm for propagation and the clipper/stealer for crypto theft. Both install as scheduled tasks with indefinite triggers. Microsoft documents two distinct tasks: one for spreading to new USB devices, the other for data theft activity. Execution is script-based, with no traditional installer.
Local Tor: C2 Traffic That Evades DNS Monitoring
The malware extracts and executes a binary renamed "ugate.exe" in a hidden window. It waits approximately 60 seconds for the onion network bootstrap, then registers the victim with the command server through a hidden service. Traffic routes via a SOCKS5 proxy on localhost:9050 (127.0.0.1).
"deploys a portable Tor client, routes traffic through a local SOCKS5 proxy, and blends data theft with remote code execution, turning a financially motivated stealer into a lightweight backdoor" — Microsoft Defender Security Research Team, via The Hacker News
The source does not specify whether localhost:9050 traffic is detectable by endpoint monitoring tools. C2 domain resolution occurs internally within the Tor client, reducing visibility on traditional network resolvers.
Crypto Theft as a Targeted Operation
The stealer component implements clipboard polling at approximately 500-millisecond intervals. Targets: 12- or 24-word BIP39 seed phrases, Ethereum private keys, Bitcoin keys in WIF format.
Wallet address replacement follows type-specific partial matching rules:
- BTC legacy (starts with "1", 32-36 chars): preserves first 2 characters
- BTC P2SH (starts with "3"): preserves first 2 characters
- BTC Taproot ("bc1p"): replaces last character
- BTC Bech32 ("bc1q"): replaces last character
- Tron (34 chars, starts with "T"): keeps first 2 characters
- Monero ("4" or "8", 95 chars): fixed predefined address
The module exfiltrates 5 screenshots captured at 10-second intervals through the same Tor tunnel.
From Clipper to Backdoor: The EVAL Command
The checkC2Command function with the EVAL method executes any JScript payload dropped into the 'cfile' at runtime. This mechanism, documented by Microsoft, transforms a stealer with a circumscribed scope into a generic remote access platform.
"This malware family shows how lightweight, script-based stealers can deliver outsized impact when paired with anonymized communications and runtime tasking," writes Microsoft Threat Intelligence in the official blog. The source does not specify whether dynamic tasking has been observed in the wild or only demonstrated technically.
EDITORIAL ANALYSIS — What This Campaign Signals About the Threat Model
The following section is editorial analysis. Inferences are marked as such.
If confirmed in the field, the EVAL mechanism suggests a modular design: the same base payload can mutate function without redistribution. The combination of USB worm and remote tasking could indicate, per DeafNews analysis, an operator who prioritizes operational flexibility over single-function specialization.
Microsoft's recommendation for "behavioral hunting" — correlating script activity with network, clipboard, and process signals — assumes integrated endpoint-network visibility that many organizations lack. The operational cost of this correlation is not quantified in the source. For defenders with fragmented tooling, localhost:9050 traffic represents a structural detection gap, not merely a technical one.
Physical USB propagation, in an era of cloud-first policies, might seem anachronistic. Its persistence suggests offline vectors retain effectiveness in environments where network controls are mature but endpoint controls remain porous.
What Changes
For organizations managing cryptographic assets, the campaign documents three notable elements:
- Controls on removable USB devices remain relevant even in modern infrastructure
- Monitoring localhost traffic and internal SOCKS proxies is a necessary complement to external DNS filtering
- Visual verification of wallet addresses — character-by-character comparison — is the only defense against the documented partial replacement
Microsoft has not disclosed victim count, amount of funds diverted, nor geographic origin of the operator. The initial distribution mechanism for infected USB devices is not detailed in the source.
Sources and Limitations
This article is based exclusively on the Microsoft Security Blog advisory and its citations reported by editorial outlets; no independent primary sources are available. The Hacker News, IBTimes, and TheWinCentral reproduced or paraphrased the Microsoft content without adding original detections. Technical data comes from the June 17, 2026 advisory.
Information not verifiable from the source: exact victim count, economic impact of diverted funds, threat actor attribution, presence of a threat actor group name, previous campaigns by the same operator.
Information has been verified against cited sources and is current as of publication.
Sources
- https://thehackernews.com/2026/06/microsoft-details-windows-clipper.html
- https://www.microsoft.com/en-us/security/blog/2026/06/17/crypto-clipper-uses-tor-worm-like-propagation-for-persistence-control/
- https://thewincentral.com/microsoft-crypto-clipper-malware-tor-worm-backdoor/
- https://x.com/MsftSecIntel/status/2067386600670089699
- https://www.ibtimes.sg/microsoft-uncovers-cryptobandits-malware-using-tor-backdoor-steal-cryptocurrency-wallets-windows-88174
- https://thehackernews.com/
- https://thehackernews.com/p/upcoming-hacker-news-webinars.html
- https://thehackernews.com/search/label/Threat%20Intelligence
- https://thehackernews.com/search/label/Vulnerability
- https://thehackernews.com/search/label/Cyber%20Attack