CryptoBandits malware combines data theft and remote code execution capabilities by deploying a portable Tor client on infected Windows systems. It routes traffic through a local SOCKS5 proxy to hide its C&C server location. The malware steals cryptocurrency wallet seed phrases and private keys, replaces clipboard wallet addresses with attacker-controlled ones, and exfiltrates screenshots. It propagates by scanning connected USB devices and creating malicious shortcuts, avoiding detection by excluding some payloads from Defender scans. Persistence is maintained via scheduled tasks, and the malware uses obfuscated scripts and runtime decryption. It polls its hidden-service C&C every 500 milliseconds for instructions, leveraging Windows Script Host and ActiveX for execution.

The malware enables attackers to steal sensitive cryptocurrency wallet information, including seed phrases and private keys, potentially leading to theft of cryptocurrency assets. It also allows remote code execution on infected systems, increasing the risk of further compromise. The use of Tor and local SOCKS5 proxy obfuscates attacker infrastructure, complicating detection and response. Propagation via USB devices increases the risk of spreading within organizations. The malware’s anti-analysis and obfuscation techniques hinder detection by security tools.

No official patch or remediation is indicated in the available data. Organizations should focus on hardening script execution environments, monitoring for unusual local SOCKS5 proxy usage, and employing behavioral detection methods that correlate script activity with network, clipboard, and process anomalies. Disabling or restricting Windows Script Host and ActiveX where possible can reduce risk. Monitoring USB device usage and scanning for malicious shortcut files can help prevent propagation. Since this is not a cloud service, remediation depends on endpoint security measures and user awareness.