CryptoBandits Malware Doubles as a Backdoor, Abuses Tor

CryptoBandits uses a local SOCKS5 proxy for traffic routing, blending data theft with remote code execution. The post CryptoBandits Malware Doubles as a Backdoor, Abuses Tor appeared first on SecurityWeek .

According to Microsoft and SecurityWeek, CryptoBandits is a Windows-based cryptocurrency clipper that also functions as a backdoor, spreading via malicious USB shortcuts, using a bundled Tor client and local SOCKS5 proxy for command-and-control, and enabling clipboard hijacking, data exfiltration, and remote code execution.[1][2][3][5] The campaign has been active since early 2026 and targets seed phrases, private keys, and wallet addresses, allowing attackers to both steal crypto assets and maintain persistent remote access to infected systems.[1][2][3] From a CyberSE.AI perspective, while this malware is not AI-specific, it highlights the need to treat local Tor/SOCKS5 use, script-based loaders, and USB propagation as high-risk infrastructure that could equally be used to target or stage attacks against AI agents and data pipelines. Organizations should incorporate such TTPs into Continuous AI Red Teaming to test whether their AI-connected systems can be compromised or abused when endpoints are controlled by malware with backdoor and exfiltration capabilities.