A new cyber cryptojacking campaign has been uncovered that spreads through pirated software bundles and deploys a custom XMRig miner on infected systems. Cybersecurity researchers said the operation uses a multi-stage infection chain designed to maximize cryptocurrency mining output, even at the cost of system stability. “Analysis of the recovered dropper, persistence triggers, and mining payload reveals a sophisticated, multi-stage infection prioritizing maximum cryptocurrency mining hashrate, often destabilizing the victim system,” a researcher said. The malware also shows worm-like behavior, allowing it to spread through external storage devices, including air-gapped environments.
The cyber attack begins with social engineering lures offering free premium software, such as pirated office productivity installers. Once downloaded, the malicious executable acts as the central control unit of the infection. It works as an installer, watchdog, payload manager and cleaner. The malware uses command-line arguments to switch modes: no parameter for early installation checks, “002 Re:0” to drop payloads and start mining, “016” to restart the miner if stopped, and “barusu” to trigger a self-destruct process. A built-in logic bomb checks system time. If the date is before December 23, 2025, it installs persistence and launches mining. If after December 23, 2025, it activates “barusu” for controlled removal.
During infection, the binary drops multiple components, including a legitimate Windows Telemetry service executable to sideload the miner DLL. It ensures persistence, disables security tools and uses a vulnerable driver, “WinRing0x64.sys,” in a bring your own vulnerable driver (BYOVD) technique. The driver flaw, tracked as CVE-2020-14979 with a CVSS score of 7.8, enables privilege escalation. This helps increase RandomX mining performance by 15% to 50%. Mining activity was observed throughout November 2025, with a spike on December 8, 2025. “A distinguishing feature of this XMRig variant is its aggressive propagation capability,” researchers said, noting it transforms from a Trojan into a worm.
Separately, another cyber threat was detected exploiting the React2Shell vulnerability (CVE-2025-55182, CVSS 10.0) to deploy XMRig using a Python toolkit, possibly generated with an AI-based LLM. Researchers said, “AI-based LLMs have made cybercrime more accessible than ever,” after attackers compromised more than 90 hosts in a single prompting session. Meanwhile, a toolkit named ILOVEPOOP has scanned vulnerable systems in U.S. government, defense, finance and industrial sectors. Experts noted a gap between the advanced code and basic operational errors, suggesting separate cyber groups built and deployed the tool.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream LinkedIn | The Mainstream Facebook | The Mainstream Youtube | The Mainstream Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
