Cybersecurity researchers have detailed a new cryptojacking campaign that leverages pirated software bundles as an entry point to deploy a custom XMRig miner. This sophisticated attack chain utilizes social engineering and worm-like capabilities to maximize cryptocurrency mining hashrate, often destabilizing victim systems.
The campaign, uncovered by Trellix researchers, highlights the evolving tactics of threat actors seeking to profit from cryptocurrency mining. By combining multiple attack vectors, attackers have created a resilient and efficient botnet capable of widespread infection.
New Cryptojacking Campaign Exploits Pirated Software and Exploits
A recently disclosed cryptojacking campaign is employing a multi-stage infection process to deploy a bespoke XMRig miner. The initial entry point involves deceiving users into downloading malware disguised as pirated premium software, such as installers for popular office suites. Once executed, the malicious binary acts as a central orchestrator, managing various aspects of the attack lifecycle, including the cryptocurrency mining payload, privilege escalation, and persistence mechanisms.
Researchers at Trellix noted that the malware exhibits a modular design, separating monitoring features from the core payloads. This allows for flexibility and adaptability in its operations. The binary can switch between different modes based on command-line arguments, controlling tasks such as initial environment validation, deployment of payloads, restarting the miner if terminated, and initiating a self-destruct sequence to erase its presence.
Sophisticated Infection Chain and Persistence
A key component of this cryptojacking operation is a logic bomb that checks the system’s local time against a predefined timestamp. If the current date is before December 23, 2025, the malware proceeds with installing persistence modules and launching the XMRig miner. However, if the date is after this threshold, the binary executes a self-destruct routine, effectively decommissioning the infection. This hard deadline suggests the campaign was designed for long-term operation on compromised systems, potentially linked to the expiration of rented command-and-control (C2) infrastructure or planned shifts to new malware variants.
During the standard infection routine, the binary, acting as a self-contained carrier, writes various malicious components to disk. This includes a legitimate Windows Telemetry service executable, which is then used to sideload the miner DLL. Files are also deployed to ensure persistence, terminate security tools, and execute the miner with elevated privileges. Notably, the attackers are leveraging a legitimate but vulnerable driver, “WinRing0x64.sys,” employing a technique known as Bring Your Own Vulnerable Driver (BYOVD). This driver is susceptible to a privilege escalation vulnerability (CVE-2020-14979) that the attackers exploit to gain deeper control over the system.
The integration of this exploit into the XMRig miner is intended to boost performance. By enabling greater control over the CPU’s low-level configuration, the attackers aim to significantly increase the mining hashrate, estimating gains of 15% to 50%. This enhanced efficiency is crucial for maximizing profits in the competitive cryptocurrency mining landscape.
Worm-Like Propagation and Evolving Threats
A distinguishing characteristic of this XMRig variant is its aggressive propagation capability. Beyond relying on user downloads, the malware actively attempts to spread to other systems via removable media, effectively transforming itself from a simple Trojan into a worm. This worm-like behavior allows for rapid lateral movement, even in air-gapped environments, by infecting external storage devices. Evidence indicates that mining activity occurred sporadically throughout November 2025, with a significant spike observed on December 8, 2025.
The campaign serves as a stark reminder that commodity malware continues to innovate. By chaining together social engineering, masquerading as legitimate software, worm-like propagation, and kernel-level exploitation, attackers have developed a resilient and highly efficient botnet. Researchers believe this underscores the ongoing threat posed by sophisticated cryptojacking operations and the need for continuous vigilance in cybersecurity defenses.
Meanwhile, a separate development highlights the increasing role of artificial intelligence in cybercrime. Darktrace reported identifying a malware artifact likely generated using a large language model (LLM) that exploits the React2Shell vulnerability (CVE-2025-55182). This exploit is used to download a Python toolkit, which subsequently drops an XMRig miner through a shell command. While the monetary gains in this specific instance were low, the campaign demonstrates how AI has made cybercrime more accessible, enabling attackers to generate functional exploit frameworks and compromise numerous hosts with relative ease.
Additional probing activity has been observed with a toolkit dubbed ILOVEPOOP, which scans for systems vulnerable to React2Shell. This activity has particularly targeted government, defense, finance, and industrial organizations in the U.S. Experts suggest that the sophisticated nature of the tool’s construction, combined with apparent operational errors by its deployers, points to a potential division of labor between development and deployment teams, a pattern often seen in state-sponsored operations.
Conclusion and Future Watch
The combination of advanced cryptojacking techniques and the emerging influence of AI in crafting malware present significant challenges for cybersecurity professionals. The specific campaign detailed by Trellix, with its multi-stage infection, privilege escalation, and worm-like capabilities, is expected to evolve. As attackers continue to refine their methods, the trend toward more resilient and efficient botnets is likely to persist. Organizations should remain vigilant against social engineering tactics and ensure their systems are patched against known vulnerabilities, particularly those related to drivers and executable sideloading. The impact of AI-generated malware is still unfolding, and its role in future attacks warrants close observation.