Cybersecurity researchers have disclosed details of a new cryptojacking campaign that uses pirated software bundles as lures to deploy a bespoke XMRig miner program on compromised hosts.
“Analysis of the recovered dropper, persistence triggers, and mining payload reveals a sophisticated, multi-stage infection prioritizing maximum cryptocurrency mining hashrate, often destabilizing the victim system,” Trellix researcher Aswath A said in a technical report published last week.
“Furthermore, the malware exhibits worm-like capabilities, spreading across external storage devices, enabling lateral movement even in air-gapped environments.”
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
The entry point of the attack is the use of social engineering decoys, advertising free premium software in the form of pirated software bundles, such as installers for office productivity suites, to trick unsuspecting users into downloading malware-laced executables.
The binary acts as the central nervous system of the infection, serving different roles as an installer, watchdog, payload manager, and cleaner to oversee different aspects of the attack lifecycle. It features a modular design that separates the monitoring features from the core payloads responsible for cryptocurrency mining, privilege escalation, and persistence if it’s terminated.
This flexibility, or mode switching, is achieved via command-line arguments –
- No parameters for environment validation and migration during the early installation phase.
- 002 Re:0, for dropping the main payloads, starting the miner, and entering a monitoring loop.
- 016, for restarting the miner process if it’s killed.
- barusu, for initiating a self-destruct sequence by terminating all malware components and deleting files.
Present within the malware is a logic bomb that operates by retrieving the local system time and comparing it against a predefined timestamp –
- If it’s before December 23, 2025, the malware proceeds with installing the persistence modules and launching the miner.
- If it’s after December 23, 2025, the binary is launched with the “barusu” argument, resulting in a “controlled decommissioning” of the infection.
The hard deadline of December 23, 2025, indicates that the campaign was designed to run indefinitely on compromised systems, with the date likely either signaling the expiration of rented command-and-control (C2) infrastructure, a predicted shift in the cryptocurrency market, or a planned move to a new malware variant, Trellix said.
Caption – Overall file inventory
In the case of the standard infection routine, the binary – which acts as a “self-contained carrier” for all malicious payloads – writes the different components to disk, including a legitimate Windows Telemetry service executable that’s used to sideload the miner DLL.
Also dropped are files to ensure persistence, terminate security tools, and execute the miner with elevated privileges by using a legitimate but flawed driver (“WinRing0x64.sys”) as part of a technique called bring your own vulnerable driver (BYOVD). The driver is susceptible to a vulnerability tracked as CVE-2020-14979 (CVSS score: 7.8) that allows privilege escalation.
The integration of this exploit into the XMRig miner is to have greater control over the CPU’s low-level configuration and boost the mining performance (i.e., the RandomX hashrate) by 15% to 50%.
“A distinguishing feature of this XMRig variant is its aggressive propagation capability,” Trellix said. “It does not rely solely on the user downloading the dropper; it actively attempts to spread to other systems via removable media. This transforms the malware from a simple Trojan into a worm.”
Evidence shows that the mining activity took place, albeit sporadically, throughout November 2025, before spiking on December 8, 2025.
“This campaign serves as a potent reminder that commodity malware continues to innovate,” the cybersecurity company concluded. “By chaining together social engineering, legitimate software masquerades, worm-like propagation, and kernel-level exploitation, the attackers have created a resilient and highly efficient botnet.”
Caption – A “Circular Watchdog” topology to ensure persistence
The disclosure comes as Darktrace said it identified a malware artifact likely generated using a large language model (LLM) that exploits the React2Shell vulnerability (CVE-2025-55182, CVSS score: 10.0) to download a Python toolkit, which leverages the access to drop an XMRig miner by running a shell command.
“While the amount of money generated by the attacker in this case is relatively low, and cryptomining is far from a new technique, this campaign is proof that AI-based LLMs have made cybercrime more accessible than ever,” researchers Nathaniel Bill and Nathaniel Jones said.
“A single prompting session with a model was sufficient for this attacker to generate a functioning exploit framework and compromise more than ninety hosts, demonstrating that the operational value of AI for adversaries should not be underestimated.”
Attackers have also been putting to use a toolkit dubbed ILOVEPOOP to scan for exposed systems still vulnerable to React2Shell, likely in an effort to lay the groundwork for future attacks, according to WhoisXML API. The probing activity has particularly targeted government, defense, finance, and industrial organizations in the U.S.
“What makes ILOVEPOOP unusual is a mismatch between how it was built and how it was used,” said Alex Ronquillo, vice president of product at WhoisXML API. “The code itself reflects expert-level knowledge of React Server Components internals and employs attack techniques not found in any other documented React2Shell kit.”
“But the people deploying it made basic operational mistakes when interacting with WhoisXML API’s honeypot monitoring systems – errors that a sophisticated attacker would normally avoid. In practical terms, this gap points to a division of labor.”
“We might be looking at two different groups: one that built the tool and one that’s using it. We see this pattern in state-sponsored operations – a capable team develops the tooling, then hands it off to operators who run mass scanning campaigns. The operators don’t need to understand how the tool works – they just need to run it.”
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
Some parts of this article are sourced from:
thehackernews.com
⚡ Weekly Recap: Double-Tap Skimmers, PromptSpy AI, 30Tbps DDoS, Docker Malware & More
Feb 23, 2026
Cybersecurity / Hacking
Security news rarely moves in a straight line. This week, it feels more like a series of sharp turns, some happening quietly in the background, others playing out in public view. The details are different, but the pressure points are familiar. Across devices, cloud services, research labs, and even everyday apps, the line between normal behavior and hidden risk keeps getting thinner. Tools meant to protect, update, or improve systems are also becoming pathways when something goes wrong. This recap gathers the signals in one place. Quick reads, real impact, and developments that deserve a closer look before they become next week’s bigger problem. ⚡ Threat of the Week Dell RecoverPoint for VMs Zero-Day Exploited — A maximum severity security vulnerability in Dell RecoverPoint for Virtual Machines has been exploited as a zero-day by a suspected China-nexus threat cluster dubbed UNC6201 since mid-2024. The activity involves the exploitation of CVE-2026-22769 (CVSS score: 10.0), a ca…