Microsoft Warns of Malware Stealing Crypto Keys on Windows Devices

Microsoft Defender Experts, along with Microsoft Threat Intelligence, have uncovered a Windows-based crypto clipper that has been active since February 2026.

According to the findings, the malware spreads through infected .lnk shortcut files and USB devices. Once executed, it deploys a Tor-based proxy using Windows Script Host and ActiveX, then establishes connections with hidden command-and-control servers.

From there, it carries out multiple malicious actions, including stealing clipboard data, extracting cryptocurrency seed phrases and private keys, capturing screenshots, and replacing wallet addresses.

The threat is currently detected by Microsoft Defender Antivirus, identified as Trojan:Win32/CryptoBandits.A.

Source: Microsoft