Security researchers have detailed CryptoBandits, a malware family that combines credential and data theft with a persistent backdoor capability — routing all command-and-control traffic through a local SOCKS5 proxy tied to the Tor network to evade detection and obscure attacker infrastructure.
Dual-Purpose Malware Architecture
What distinguishes CryptoBandits from conventional infostealers is its dual-function design. Most infostealer malware operates in a single pass: it executes on the victim machine, harvests credentials, cookies, and sensitive files, exfiltrates them to attacker-controlled infrastructure, and then exits. CryptoBandits takes a different approach — maintaining persistent access to the victim system through an embedded backdoor component that continues operating after the initial data theft phase completes.
This dual architecture means an organization that detects and removes a "credential-stealing" infection may have failed to identify or eradicate the backdoor component, leaving the attacker with continued remote access even after the apparent remediation.
SOCKS5 Proxy and Tor Abuse
CryptoBandits' most distinctive technical feature is its use of a local SOCKS5 proxy for all outbound communications. The malware establishes a SOCKS5 listener on the infected host, then tunnels both its infostealer exfiltration traffic and its backdoor command-and-control communications through this proxy, which in turn routes traffic over the Tor anonymization network.
This design provides several operational security advantages for the attackers:
Infrastructure anonymization: Because all traffic exits through Tor, the actual command-and-control server IP addresses are never exposed. Defenders analyzing network traffic from an infected host see only connections to Tor relay nodes — legitimate-looking encrypted traffic to well-known Tor infrastructure — rather than connections to attacker-controlled servers.
Evading IP-based blocklists: Security tools that block known malicious IP ranges or domains cannot block CryptoBandits C2 traffic because there are no fixed attacker IPs to block.
Resilient infrastructure: Tor-based C2 is highly resilient. There are no attacker-registered domains to take down, no hosting providers to serve abuse notices to, and the layered encryption of the Tor network prevents intermediate nodes from identifying traffic content.
Bypassing network monitoring: Network security tools that inspect outbound connections for known-bad destinations will see only encrypted connections to Tor guard nodes, which may be whitelisted or treated as expected traffic in environments where Tor use is not explicitly blocked.
Capabilities
Beyond the SOCKS5/Tor tunneling infrastructure, CryptoBandits' core capabilities include:
Credential harvesting: The infostealer component targets saved credentials from major web browsers (Chrome, Firefox, Edge), email clients, FTP clients, and credential stores. Browser-saved passwords, cookies (including session tokens), and autofill data are primary targets.
Cryptocurrency wallet theft: The "Crypto" in CryptoBandits is not incidental — the malware specifically targets cryptocurrency wallet files, seed phrases stored in browser extensions, and application data for software wallets. Hardware wallet seed phrase storage locations are also enumerated.
Remote code execution: The backdoor component accepts commands from the attacker's C2 infrastructure via the Tor tunnel, enabling arbitrary command execution, file upload and download, screenshot capture, and process management on the victim host.
Persistence mechanisms: CryptoBandits establishes persistence through multiple redundant mechanisms to survive reboots and partial cleanup attempts.
Detection Challenges
The combination of Tor-based C2 and a dual infostealer/backdoor architecture creates significant detection challenges:
Network-level detection is limited: Standard network monitoring that looks for connections to malicious IP addresses or domains will not detect CryptoBandits C2 traffic. Detection requires either blocking Tor entirely (disruptive in some environments) or using behavioral network analysis.
The infostealer component may be detected; the backdoor may not: Security tools trained on infostealer behavioral patterns may identify and quarantine the credential theft component while leaving the backdoor active. Organizations should treat any CryptoBandits detection as a full incident requiring complete system reimaging rather than signature-based remediation.
SOCKS5 proxy creates internal network visibility gaps: If the local SOCKS5 proxy is accessible to other processes on the infected host, other malware or attacker tools dropped subsequently may also route through it, further obscuring their traffic.
Indicators and Response
Organizations that suspect CryptoBandits infection should look for:
- Unexpected Tor processes or
tor.exe/torbinaries running on endpoints - Local SOCKS5 proxy listeners on non-standard ports (typical Tor SOCKS5 port is 9050, but malware often uses others)
- Network connections to known Tor relay IP ranges (published by the Tor Project)
- Unusual browser credential access patterns — bulk reads from credential stores outside of browser processes
- Cryptocurrency wallet file access or exfiltration attempts
Incident response note: Because CryptoBandits combines data exfiltration with persistent backdoor access, a confirmed infection should be treated as requiring full credential rotation for any account that was logged in or whose credentials were stored on the infected system — not just endpoint remediation.
Broader Context
CryptoBandits joins a growing category of "combo" malware that blends infostealer and backdoor functionality to maximize attacker return from each successful infection. This trend reflects the maturation of cybercriminal malware development — where maintaining long-term access to a compromised host has become as valuable as the initial data theft, particularly for environments with access to cryptocurrency assets or enterprise credentials.
The use of Tor for C2 is not new, but its combination with a local SOCKS5 proxy architecture represents a refinement in operational security that makes CryptoBandits harder to detect and respond to than malware using conventional C2 infrastructure.
Source: SecurityWeek