Microsoft Threat Intelligence reports the emergence of a sophisticated Windows encryption Trojan, designated as Trojan:Win32/CryptoBandits, which has been active since February 2026. This malware specifically targets digital asset holders by combining worm-like propagation with advanced anonymization techniques. The threat actor utilizes disguised shortcut (.lnk) files on removable storage to initiate the attack chain, employing WScript and ActiveX to execute malicious scripts. Once deployed, the Trojan installs a local Tor client to establish communication with an onion hidden service command-and-control server via the 127.0.1:9050 proxy, ensuring operational anonymity.

The attack vector involves persistent monitoring of clipboard content to intercept cryptocurrency transactions. Upon detecting copied wallet addresses, the malware replaces them with attacker-controlled destinations, effectively hijacking funds.

Concurrently, it exfiltrates sensitive data including mnemonic phrases, private keys, and system screenshots. To maintain persistence and evade detection, the Trojan propagates to USB drives, creates scheduled tasks, and incorporates anti-analysis features. Microsoft identified the threat through behavioral indicators such as abnormal WScript calls and localhost:9050 proxy traffic. Security experts advise restricting script execution paths and monitoring for anomalous local proxy activity to mitigate risk.