Cybersecurity analysts have uncovered a sophisticated cryptojacking campaign that distributes a customized XMRig miner through pirated software bundles. The operation combines social engineering, privilege escalation, worm like propagation, and a time triggered logic bomb to maximize cryptocurrency mining performance on compromised systems.
According to a technical assessment published by Trellix, the malware demonstrates a multi stage architecture designed to extract maximum mining hashrate, often at the cost of system stability.
Pirated Software as the Initial Infection Vector
The campaign begins with fake advertisements offering free premium software, typically bundled installers for office productivity tools. Unsuspecting users download these tampered executables, unknowingly initiating the infection chain.
The malicious binary functions as the operational core of the attack. It acts simultaneously as:
- Installer
- Watchdog
- Payload manager
- Cleanup controller
Its modular structure separates monitoring components from mining, privilege escalation, and persistence modules. Command line arguments determine its operational mode, allowing it to switch behavior dynamically during different infection phases.
Command Line Driven Mode Switching
The dropper supports multiple execution modes:
- No parameters, used during early installation for environment validation and system migration.
- 002 Re:0, responsible for deploying payloads, launching the miner, and entering a monitoring loop.
- 016, used to restart the miner if terminated.
- barusu, activates a self destruct mechanism that removes malware components and cleans traces.
Time Based Logic Bomb Mechanism
A notable feature is an embedded logic bomb. The malware checks the system clock against a predefined deadline.
If the date is before December 23, 2025, the malware installs persistence mechanisms and activates the miner.
If the date is after December 23, 2025, it launches itself using the barusu parameter, triggering a controlled removal process.
Researchers believe the fixed deadline may indicate expiration of rented command and control infrastructure, anticipated cryptocurrency market shifts, or transition planning toward a new malware version.
BYOVD Exploit and Privilege Escalation
During standard execution, the binary drops several components to disk, including a legitimate Windows Telemetry service executable. This file is abused to sideload the malicious miner DLL.
To achieve elevated privileges, the campaign employs a bring your own vulnerable driver technique. It uses WinRing0x64.sys, a legitimate but flawed driver affected by CVE-2020-14979, which carries a CVSS score of 7.8.
By integrating this exploit, the attackers gain low level CPU control, increasing RandomX mining performance by 15 percent to 50 percent. This optimization significantly enhances cryptocurrency extraction efficiency.
Worm Like Propagation Across Removable Media
Unlike traditional trojan based cryptominers, this variant includes aggressive propagation logic. It spreads through removable storage devices, enabling lateral movement even in isolated or air gapped environments.
Evidence suggests mining operations occurred sporadically throughout November 2025 before sharply increasing on December 8, 2025.
Trellix concluded that this campaign highlights how commodity malware continues to evolve by combining social engineering, kernel level exploitation, and automated spreading techniques to build resilient mining botnets.
AI Generated Exploit Framework Observed in Parallel Campaign
In a related development, Darktrace identified malware likely generated with assistance from a large language model. The exploit targeted the React2Shell vulnerability, tracked as CVE-2025-55182 with a critical CVSS score of 10.0.
The exploit downloaded a Python toolkit that executed shell commands to deploy an XMRig miner across more than ninety compromised systems. Researchers noted that even limited prompting was sufficient to create a functional exploit framework, underscoring the operational value of AI in lowering the barrier to cybercrime.
ILOVEPOOP Toolkit Scans U.S. Critical Sectors
Separately, WhoisXML API reported the use of a toolkit named ILOVEPOOP to identify exposed systems vulnerable to React2Shell. The scanning activity primarily targeted U.S. government, defense, finance, and industrial sectors.
Alex Ronquillo, vice president of product at WhoisXML API, observed a discrepancy between the sophistication of the toolkit and the operational mistakes made during deployment. This suggests a possible division of labor between developers and operators, a pattern frequently associated with state sponsored cyber operations.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
