CryptoBandits — USB-LNK worm + Tor hidden-service C2 driving a clipboard hijacker

campaign · campaign:cryptobandits-usb-lnk-tor-clipper

Coverage timeline

first 2026-06-19 → last 2026-06-19

Briefs

1 distinct

Sources cited

2 hosts

Sections touched

active_threats

Co-occurring entities

see Related entities below

Story timeline

2026-06-19CTI Daily Brief — 2026-06-19
active_threatsMicrosoft TI; removable-media worm, Tor-fronted C2, EVAL RCE

Where this entity is cited

active_threats1

Source distribution

microsoft.com1 (50%)
thehackernews.com1 (50%)

Related entities

Microsoft DCU disrupts Fox Tempest MSaaS — 1,000+ Artifact Signing certs revoked; SDNY court order; downstream Rhysida, INC, Qilin, Akira + Vanilla Tempest, Storm-0501 / 2561 / 0249
incidentitem:microsoft-dcu-disrupts-fox-tempest-malware-signing-as-a-servi×1
Microsoft Defender Experts — AI-chatbot search-poisoning extends SEO lure; GPU-utility lookalikes drop ScreenConnect, then process-hollowed miners (gminer/lolMiner/SRBMiner-MULTI) under signed Microsoft binary
campaignitem:microsoft-ai-chatbot-search-poisoning-cryptojacking-screenconnect-process-hollowing×1
Microsoft MDASH — multi-model agentic vulnerability-discovery harness, 16 Windows CVEs found in network-stack kernel components
toolresearch:microsoft-mdash-2026×1
Microsoft Teams external-chat phishing (APT29/Cloaked Ursa, UNC6692)
campaigncampaign:teams-external-chat-phishing×1
npm dependency-confusion campaigns targeting internal corporate namespaces (Microsoft 33 pkgs / Sonatype 176 pkgs)
campaignitem:npm-dependency-confusion-internal-namespace-campaigns-ms-sonatype×1

All cited sources (2)

Items in briefs about CryptoBandits — USB-LNK worm + Tor hidden-service C2 driving a clipboard hijacker (1)

Microsoft details a USB-LNK worm with Tor hidden-service C2 driving a cryptocurrency clipboard hijacker

From CTI Daily Brief — 2026-06-19 · published 2026-06-19 · view item permalink →

Microsoft Threat Intelligence documented a multi-component campaign (detected as Trojan:Win32/CryptoBandits.A/B and Trojan:JS/CryptoBandits.A/B), active since at least February 2026, that pairs a removable-media worm with a Tor-fronted clipboard hijacker (Microsoft Security, 2026-06-17; The Hacker News, 2026-06-18). The worm scans attached USB drives for .doc/.xlsx/.pdf files, sets the originals hidden, and replaces them with same-named .lnk shortcuts that launch the payload on user interaction — the classic air-gap-crossing removable-media vector. Once resident, it establishes scheduled-task persistence, launches a renamed portable Tor client opening a SOCKS5 proxy on localhost:9050, and beacons to .onion hidden services over three HTTP endpoints (/route.php beacon, /recvf.php upload, /stub.php payload). The clipboard component polls for cryptocurrency addresses (Bitcoin, Ethereum, Tron, Monero) and silently swaps them, and the C2 supports an EVAL remote-code-execution command. Why it matters to us: the crypto-theft payload is secondary to the propagation model — USB-LNK worms have historically reached isolated and air-gapped administrative environments still common in Swiss public-sector data-transfer workflows, and Tor-fronted C2 defeats domain/IP egress blocking. Detection: WScript/CScript spawning curl.exe/cmd.exe/powershell.exe; outbound SOCKS5 to localhost:9050; scheduled-task creation referencing obfuscated script payloads. Hardening: enforce NoAutorun/NoDriveTypeAutorun, block LNK execution from removable media via ASR, restrict wscript.exe/cscript.exe to signed scripts, and block Tor egress.