Kaspersky Flagged Cursor IDE as ClipBanker Trojan on Windows

Kaspersky just flagged and removed Cursor IDE from my Windows machine as PDM:Trojan-Banker.Win32.ClipBanker.gen (High severity), which caught me off guard.

From what I’m seeing in the logs:
• Multiple detections linked to Cursor.exe and related processes
• Processes were terminated and files were deleted or quarantined
• Detection shows “Exactly”, so it does not look like a weak or generic hit

What makes this worrying:
• Cursor is widely used, so this is not some random unknown tool
• ClipBanker usually relates to clipboard hijacking, especially for crypto addresses
• It was not a single alert, it kept triggering across different processes

I’m not jumping to conclusions yet, but trying to understand what’s going on.

Has anyone else experienced this with Cursor IDE recently?
Could this be a false positive related to how Cursor handles clipboard or extensions?
Any official clarification from Cursor or Kaspersky?

For now I’ve isolated the machine and I’m digging deeper, but it’s worth double checking if you’re using Cursor.

Would appreciate any insights from the community.

Cursor Trojan.csv (6.4 KB)

Hey, this is a known issue. Kaspersky sometimes flags Cursor as a trojan. This is a false positive.

Cursor uses built-in API connections, runs terminal commands, uses extensions, MCP servers, and other processes that antivirus behavior analysis can treat as suspicious. A PDM (Proactive Defense Module) detection is heuristic, not a signature-based detection of a specific piece of malware.

For now, the workaround is to add Cursor to Kaspersky exclusions. I also recommend sending a false positive report directly to Kaspersky so they can update their databases.

Here are previous threads about the same situation:

• Trojan in Cursor
• Kaspersky accusing Cursor of being a trojan

Let me know if you still have questions.