Cybersecurity researchers have revealed details of a new cryptojacking campaign that uses pirated software bundles as bait to deploy a custom-built XMRig miner program on compromised hosts.
“Analysis of recovered droppers, persistence triggers, and mining payloads reveals sophisticated multi-stage infections that prioritize maximizing cryptocurrency mining hashrate, often destabilizing victims’ systems,” Trellix researcher Aswath A said in a technical report published last week.
“Additionally, this malware exhibits worm-like capabilities, spreading across external storage devices and allowing lateral movement even in air-gapped environments.”
The entry point for attacks is the use of social engineering baits promoting free premium software in the form of pirated software bundles, such as office productivity suite installers, to trick unsuspecting users into downloading malware-laden executables.
This binary acts as the central nervous system of the infection, playing various roles as an installer, watchdog, payload manager, and cleaner, monitoring various aspects of the attack lifecycle. It features a modular design that separates monitoring functionality from the core payload, which is responsible for cryptocurrency mining, privilege escalation, and persistence upon exit.
This flexibility, or mode switching, is achieved through command line arguments.
During the initial stages of installation, there are no parameters for environment validation and migration. 002 Re:0, main payload dropped, miner started, monitoring loop started. 016, restart the minor process if it is killed. barusu, starts a self-destruct sequence by terminating all malware components and deleting files.
There is a logic bomb within the malware that operates by taking the local system time and comparing it to a predefined timestamp.
Before December 23, 2025, the malware continues to install the persistence module and launch the miner. After December 23, 2025, the binary will be launched with the ‘barusu’ argument, resulting in a ‘controlled retirement’ of the infection.
The hard deadline of December 23, 2025 indicates that the campaign is designed to run indefinitely on compromised systems, and that date likely indicates either the expiration of rented command and control (C2) infrastructure, anticipated changes in the cryptocurrency market, or plans to migrate to new malware variants, Trellix said.
Captions – overall file inventory
In a standard infection routine, the binary, which acts as a “self-contained carrier” for all malicious payloads, writes various components to disk, including a legitimate Windows Telemetry service executable that is used to sideload minor DLLs.
It also drops files to ensure persistence, terminate security tools, and run the miner with elevated privileges using a legitimate but flawed driver (‘WinRing0x64.sys’) as part of a technique known as BYOVD (Bring Your Own Vulnerability Driver). This driver is affected by a vulnerability tracked as CVE-2020-14979 (CVSS score: 7.8) that allows privilege escalation.
Integrating this exploit into the XMRig miner increases mining performance (RandomX hashrate) by 15% to 50% with more control over the low-level configuration of the CPU.
“The distinguishing feature of this XMRig variant is its aggressive propagation ability,” Trellix said. “Rather than relying solely on users downloading the dropper, it actively attempts to spread to other systems via removable media. This transforms the malware from a simple Trojan to a worm.”
Evidence indicates that mining activity, although sporadic, occurred throughout November 2025, before spiking on December 8, 2025.
“This campaign is a strong reminder that commodity malware continues to innovate,” the cybersecurity firm concluded. “Through a chain of social engineering, masquerading of legitimate software, worm-like propagation, and kernel-level exploitation, the attackers created a resilient and highly efficient botnet.”
Caption – “Cyclic Watchdog” topology to ensure persistence
This disclosure comes after Darktrace announced that it had identified a malware artifact that may have been generated using a large-scale language model (LLM) that exploits a vulnerability in React2Shell (CVE-2025-55182, CVSS score: 10.0) to download a Python toolkit. This malware artifact leverages access to drop the XMRig miner by executing shell commands.
Researchers Nathaniel Bill and Nathaniel Jones said: “Although the amount of money generated by the attackers in this incident was relatively small, and cryptomining is by no means a new technique, this campaign is evidence that AI-based LLM has made cybercrime more accessible than ever.”
“One prompting session with the model was enough for this attacker to generate a working exploit framework and compromise over 90 hosts, demonstrating that the operational value of AI to adversaries should not be underestimated.”
According to the WhoisXML API, attackers are also using a toolkit called ILOVEPOOP to scan for public systems that are still vulnerable to React2Shell. This is likely an effort to lay the foundation for future attacks. This investigative effort specifically targets U.S. government, defense, financial, and industry organizations.
“What’s unusual about ILOVEPOOP is that the way it’s built and the way it’s used aren’t aligned,” said Alex Ronquillo, vice president of products at WhoisXML API. “The code itself reflects expert-level knowledge of the internals of React Server Components and employs attack techniques not found in other documented React2Shell kits.”
“However, the people deploying it made a basic operational error when interacting with the WhoisXML API’s honeypot monitoring system, a mistake that sophisticated attackers typically avoid. In practice, this gap is indicative of a division of labor.”
“We may be looking at two different groups: the group that built the tool and the group that is using it. We see this pattern in state-sponsored operations. A capable team develops a tool and hands it off to an operator who runs a large-scale scanning campaign. The operator doesn’t need to understand how the tool works; just running the tool is enough.”
Source link
