Cybersecurity researchers have identified a sophisticated cryptojacking campaign leveraging pirated software bundles to deploy a customized XMRig miner on compromised systems. The campaign uses multi-stage infection techniques designed to maximize cryptocurrency mining hashrate while destabilizing target machines. According to Trellix researcher Aswath A, the malware also exhibits worm-like behavior, spreading across external storage devices and enabling lateral movement even in air-gapped environments.
The attack primarily relies on social engineering, presenting pirated office suites and other software as free downloads to lure users into executing malicious binaries. These binaries function as central controllers for the infection, performing installation, monitoring, payload management, and cleanup operations. A modular design allows the malware to separate its mining operations from monitoring components and manage privileges and persistence efficiently. Different command-line arguments enable mode switching, including environment validation, payload deployment, miner restart, and a self-destruct sequence triggered by the argument “barusu.” A built-in logic bomb checks local system time against a set timestamp of December 23, 2025, controlling whether the malware installs and launches or initiates decommissioning, suggesting planned campaign lifecycle management.
The malware installs multiple components on infected machines, including legitimate Windows Telemetry executables for DLL sideloading and a vulnerable driver, WinRing0x64.sys, as part of a bring-your-own-vulnerable-driver exploit. The CVE-2020-14979 vulnerability in the driver allows privilege escalation, enabling the malware to control CPU configuration and boost RandomX mining performance by 15 to 50 percent. Trellix noted the campaign’s propagation capabilities distinguish it from standard trojans, with removable media used for lateral movement. Mining activity was observed intermittently in November 2025, intensifying on December 8, demonstrating the campaign’s resilience and operational efficiency.
Parallel investigations have highlighted the growing use of AI-assisted tools in cybercrime. Darktrace reported evidence of a malware artifact likely generated using a large language model to exploit the React2Shell vulnerability (CVE-2025-55182) and deploy XMRig miners via Python scripts. While financial gains from mining were limited, this incident illustrates how AI lowers barriers for threat actors. Additionally, WhoisXML API researchers tracked the ILOVEPOOP toolkit being used to scan for systems still vulnerable to React2Shell, particularly targeting government, defense, finance, and industrial networks. Analysts suggest a division of labor between expert developers and operators running mass campaigns, a pattern reminiscent of state-sponsored operations, highlighting operational gaps and increasing risks to enterprise systems.
This campaign underscores the evolving sophistication of cryptojacking threats, where malware combines social engineering, legitimate software masquerading, kernel-level exploits, wormable propagation, and AI-assisted development. Security teams are advised to prioritize monitoring for anomalous mining activity, enforce patch management on vulnerable drivers, and maintain rigorous endpoint protection strategies to mitigate similar attacks in both enterprise and industrial environments.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
