The cryptominery campaign that behaves as a worm with pirated software and lateral propagation

Cybersecurity researchers have unravel a cryptojacking campaign that combines old social engineering tricks with advanced techniques of exploitation and persistence. In the center of the attack there are binaries offered within pirate software packages: supposedly "free" installers of office suites and other premium tools that actually hide a malicious charger that ends up deploying a custom XMRig-based Monkey Miner.

The campaign is not limited to running a mining process: it is modular, resilient and, in certain respects, behaves like a worm. According to the analysis published by Trellix, the recovered executable acts as a central controller that can install components, monitor that the miner continues to function, restart it if necessary and, in certain cases, remove tests if ordered. This separation of functions through operating modes makes it easier for the actor to increase mine efficiency and maintain control over compromised systems.

The input method is anchored in confidence: users looking for free payment software end up downloading a "dropper" that decompresses and writes multiple devices on disk. They usually include a legitimate copy of a system executable that is used for mining DLL sideloading, and binaries that deactivate security tools or install persistence mechanisms. To scale privileges and maximize mine capacity, the operator also incorporates a vulnerable driver - WinRing0x64.sys - that exploits a known fault ( CVE-2020-14979) and allows to manipulate low-level CPU configurations; the reported effect is a significant increase of the RandomX hashrate.

In addition to taking advantage of the vulnerable driver, the campaign shows off-the-clock propagation behaviors for a typical cryptominer. The malware tries to replicate through removable means and can move laterally even in isolated environments (air-gapped), which brings you closer to the worm category: it is not only up to the user to download the dropper, but is actively looking for new vectors of infection.

The malicious piece also incorporates a temporary "logical bomb": check the local time of the system and, if the date exceeds a predefined threshold - in this case, on 23 December 2025 - a controlled dismantling routine is activated. This behaviour suggests that operators intended to keep the campaign going for months or years and planned some kind of coordinated transition or closure, perhaps by expiry of command and control infrastructure, changes in the cryptomoneda market or a migration to a new variant.

In case of little, research by other firms reveals how the combination of automated tools and language assistants could facilitate these attacks. Darktrace identified an artifact that was most likely generated with the help of a large language model (LLM) to exploit the vulnerability known as React2Shell (CVE-2025-55182) and download a kit in Python that, in turn, served to launch an XMRig miner. Darktrack explains how a single prombing session allowed an attacker to produce an operational framework capable of compromising dozens of hosts.

In parallel, there are scanning and exploitation tools - such as the one listed by WhoisXML API under the name ILOVEPOOP - that raise information on systems exposed to React2Shell and seek to prepare ground for mass campaigns. The analysis of WhoisXML also suggests a division of labour: expert teams would have developed the toolkit and less sophisticated operators would have deployed it in large-scale sweep, making operational errors detectable by honeypot systems. The report can be read in WhoisXML API.

The use of advanced language models or toolkits does not make the attack new from its final goal - to obtain power of computation to mine - but does reduce the technical barrier for less skilled actors and accelerate the development and deployment chain. The result is a more accessible and scalable threat.

For IT users and equipment this involves two immediate learning. First, avoid hacking software at all costs: beyond legal issues, unofficial installers are one of the simplest vectors to enter malware. Second, close up exploitable technical vectors: keep systems and drivers up to date, block automatic execution from removable means, monitor CPU use peaks and have EDR solutions that identify mining behaviors and sideloading techniques.

If you want to deepen, Trellix's technical analysis provides a detailed breakdown of the infection flow and binary capabilities, and is a recommended reading for response equipment: Trellix report. To understand the context of the automated operation with IA, the Darktrace report provides practical examples and alerts about the use of LLM by malicious actors. And if you look for context on the piece exploited to scale privileges, the vulnerability tab in the NVD clarifies the technical problem behind the vulnerable driver: CVE-2020-14979.

Finally, and although the monetary sum produced by each cryptomining operation may be modest, the addition of hundreds or thousands of committed equipment makes up a very cost-effective botnet for the attackers. The lesson is clear: the basic defenses - patching, controls on removable media, discharge policies and observability - remain the most effective to cut this type of campaign before they generate greater damage.

If you manage critical systems, it will be worth corroborating that there are no signs of XMRig processes being implemented (the official project is in progress). GitHub), review boot and service looms, and audit the use of third-party drivers. In cybersecurity, prevention and early detection remain the best investment against threats that combine the old - human naivety and pirate software - with the new - automated exploitation and use of IA.