Cybercriminals are actively deploying CoinMiner malware via USB drives, compromising workstations primarily in South Korea. The malicious campaign focuses on illicitly mining the Monero cryptocurrency by infecting user devices with sophisticated malware. This threat highlights the persistent danger posed by physical media in cybersecurity and the evolving tactics of threat actors.
Researchers have identified that the attackers employ deceptive shortcut files and hidden folders within infected USB drives to trick unsuspecting users into executing malicious scripts. This method allows the malware to install XMRig, a popular cryptocurrency mining tool, on compromised systems without immediate user awareness, contributing to the spread of CoinMiner malware.
CoinMiner Malware Exploits USB Drives for Monero Mining
The ongoing threat involves a multi-stage infection process initiated by users interacting with a seemingly innocuous shortcut file on an infected USB drive. This shortcut, labeled “USB Drive.lnk,” masks a hidden “sysvolume” folder where the actual malware resides. When clicked, the shortcut triggers a chain of malicious operations that concurrently open a folder containing the user’s original files, creating a deceptive environment that makes detection difficult.
This approach, observed by ASEC security researchers, aims to maintain user access to their data while the malware operates in the background. The attackers have refined their techniques since earlier iterations of this threat were documented. Mandiant, for instance, categorized similar threats as DIRTYBULK and CUTFAIL in a July 2025 report, indicating a sustained and evolving effort by these threat actors.
The infection begins when the deceptive shortcut file is executed, launching a VBScript often with a randomly generated filename. This script then initiates a BAT (batch) malware component. This critical stage involves several operations designed to evade detection, including adding exclusion paths to Windows Defender and creating a directory with a space in its name within the “C:WindowsSystem32” folder.
Infection Mechanism and Persistence Tactics
Further evasion and persistence are achieved by the BAT script copying and renaming the dropper malware to “printui.dll.” This malicious DLL is then loaded through the legitimate “printui.exe” program, a technique designed to blend in with normal system activity. This method allows the malware to gain a foothold on the infected workstation.
The dropper component then establishes persistence by registering itself with the DcomLaunch service. Once registered, the malware, identified as PrintMiner, modifies system power settings to prevent the computer from entering sleep mode. This ensures continuous operation for cryptocurrency mining. Additionally, the malware communicates with command-and-control servers to download encrypted payloads that facilitate its mining activities.
The decrypted files contain XMRig, configured to mine Monero cryptocurrency. The mining parameters observed include connecting to `r2.hashpoolpx[.]net:443` using TLS and limiting CPU usage to 50%. This specific configuration is intended to maximize mining efficiency while attempting to minimize the risk of detection through excessive resource consumption.
To further avoid detection and potential user complaints, the malware actively monitors running processes. It terminates the XMRig mining process when it detects users launching games or using process monitoring tools such as Process Explorer, Task Manager, and System Informer. This evasion technique is crucial for maintaining long-term operation, as it reduces the chances of the user noticing performance degradation or actively investigating suspicious activity. USB-based attacks, when combined with social engineering tactics, continue to present a significant challenge in the cybersecurity landscape.
The continued evolution of these USB-based CoinMiner malware campaigns underscores the importance of user education and robust endpoint security solutions. As threat actors adapt their methods, organizations and individuals alike must remain vigilant against emerging threats and implement comprehensive cybersecurity practices to safeguard against such attacks.