XMRig Cryptojacking Campaign

Extensive investigations have uncovered a sophisticated cryptojacking campaign that leverages pirated software bundles to infect systems with a customized XMRig miner. The operation relies heavily on social engineering, advertising free premium applications, such as cracked office productivity suites, to entice users into downloading trojanized installers.

These malicious executables serve as the primary entry point. Once executed, they initiate a carefully orchestrated infection process designed to maximize cryptocurrency mining output, frequently at the expense of system stability. The campaign's reliance on deceptive distribution tactics highlights the continued effectiveness of software piracy as a malware delivery channel.

A Modular Infection Engine with Multiple Operational Modes

At the core of the attack lies a multifunctional binary that operates as the command center of the infection lifecycle. Acting as an installer, watchdog, payload manager, and cleanup utility, this component oversees deployment, persistence, monitoring, and potential self-removal.

The malware's modular design separates monitoring capabilities from core payloads responsible for mining, privilege escalation, and persistence. Operational flexibility is achieved through specific command-line arguments that enable distinct execution modes:

No parameter: Performs environment validation and handles early-stage installation and migration.

002 Re:0: Drops the primary payloads, launches the miner, and enters a monitoring loop.

016: Restarts the miner if it is terminated.

barusu: Initiates a self-destruct sequence, terminating malware components and removing associated files.

This structured mode-switching approach enhances resilience and ensures sustained mining activity even when defensive actions are taken.

Embedded Logic Bomb and Timed Decommissioning

A notable characteristic of the malware is the inclusion of a logic bomb. The binary retrieves the system's local time and compares it against a hardcoded deadline of December 23, 2025.

• If executed before December 23, 2025, the malware proceeds with persistence installation and miner deployment.
• If executed after this date, it automatically relaunches itself using the 'barusu' parameter, triggering a controlled self-decommissioning process.

The predefined cutoff suggests that the campaign was intended to operate continuously until that date. The deadline may correspond to the expiration of rented command-and-control infrastructure, anticipated cryptocurrency market changes, or a strategic transition to a successor malware strain.

Privilege Escalation and Mining Optimization via BYOVD

During a standard infection routine, the binary, functioning as a self-contained carrier, writes all necessary components to disk. Among these is a legitimate Windows Telemetry service executable, which is abused to sideload the malicious miner DLL.

Persistence mechanisms are also deployed, along with components designed to disable security tools. To ensure elevated execution privileges, the malware employs a bring-your-own-vulnerable-driver (BYOVD) technique using the flawed driver 'WinRing0x64.sys.' This driver is affected by CVE-2020-14979, a vulnerability with a CVSS score of 7.8 that permits privilege escalation.

By integrating this exploit directly into the customized XMRig miner, the attackers gain low-level control over CPU configurations. This optimization increases RandomX mining performance by approximately 15% to 50%, significantly improving profitability.

Worm-Like Propagation and Lateral Movement

Unlike traditional Trojans that depend solely on initial user execution, this XMRig variant incorporates aggressive propagation features. It actively spreads via removable storage devices, enabling lateral movement across systems, including those in air-gapped environments.

This worm-like capability transforms the malware into a self-propagating threat, substantially broadening its reach within organizational networks and increasing botnet scale.

Operational Timeline and Strategic Implications

Forensic evidence indicates intermittent mining activity throughout November 2025, followed by a marked surge beginning on December 8, 2025. This pattern suggests phased deployment or activation strategies aimed at avoiding early detection.

The campaign underscores the ongoing evolution of commodity malware. By combining social engineering, legitimate software impersonation, worm-style propagation, and kernel-level exploitation, the threat actors have engineered a durable and high-performance cryptojacking botnet capable of sustained and optimized cryptocurrency mining.