Svmuu News Microsoft The company’s threat intelligence team has officially disclosed a Windows encryption Trojan threat that has been active since February 2026. This malware combines “worm-like propagation, clipboard hijacking, and Tor-based anonymous communication” to target users of digital assets. Microsoft Analysis indicates that the malware spreads between removable storage devices via disguised shortcut (.lnk) files. It uses WScript and ActiveX to execute script logic, automatically deploys a local Tor client, and connects via a proxy at 127.0.0.1:9050.It uses an onion hidden service C2 server to enable anonymous control and data transmission.The attack chain includes multiple malicious capabilities: continuously monitoring clipboard content, stealing mnemonic phrases and private keys, taking and uploading screenshots, and performing “address replacement” when the user copies a cryptocurrency address—replacing the target address with a wallet address controlled by the attacker to hijack funds. Additionally, this Trojan possesses worm-like propagation capabilities, automatically replicating itself onto devices such as USB drives and creating scheduled tasks to ensure persistent operation. It also features basic anti-analysis capabilities (such as monitoring the Task Manager to evade debugging). In terms of detection, Microsoft has identified it as part of the Trojan:Win32/CryptoBandits family and blocks it based on behavioral signatures (such as abnormal WScript calls, localhost:9050 proxy traffic, and PowerShell screenshot activities). Security researchers recommend prioritizing protection of script execution paths and monitoring for abnormal local proxy traffic.