Microsoft Uncovers Trojan:Win32/CryptoBandits Worm Draining Crypto Wallets via USB
MSFT•Microsoft engineers identified a Trojan:Win32/CryptoBandits “crypto clipper” worm that has infected Windows PCs via USB drives since February, replacing crypto wallet addresses to divert funds. The company advises disabling AutoRun, blocking .lnk execution on USB drives, and restricting script hosts to prevent further theft.
1. Malware Discovery and Labeling
Microsoft engineers have identified a Trojan:Win32/CryptoBandits worm, dubbed a “crypto clipper,” that hijacks cryptocurrency operations on Windows PCs by intercepting wallet transactions.
2. Infection and Theft Mechanism
The malware spreads via infected USB drives and exploits .lnk file execution to auto-launch payloads, replacing legitimate wallet addresses with attacker-controlled ones to divert user funds.
3. Security Recommendations
Microsoft recommends disabling AutoRun, blocking .lnk execution on USB drives, restricting script hosts, and using published indicators of compromise to detect and remove infections.
4. Market Reaction
Following the disclosure, Microsoft shares have declined 20% over the past 12 months as investors weigh increased cybersecurity risks and potential costs of breach mitigation.
