Microsoft has revealed details of the ‘CryptoBandits’ campaign, a Windows-based cryptocurrency clipper active since February 2026. This malware uses a self-spreading USB LNK worm to infect systems and leverages the Tor anonymity network for command-and-control communications. The clipper intercepts clipboard data to replace cryptocurrency wallet addresses, aiming to redirect transactions to attacker-controlled wallets.