Cybersecurity researchers have revealed details of a new cryptojacking campaign that uses pirated software bundles as bait to deploy a custom XMerig miner program on compromised hosts.
“Analysis of the recovered droppers, persistence triggers, and mining payloads reveals a sophisticated, multi-stage infection that prioritizes maximum cryptocurrency mining hashrate, often destabilizing the victim system,” Trelix researcher Ashwath A. said in a technical report published last week.
“In addition, the malware exhibits worm-like capabilities, spreading to external storage devices, enabling lateral movement even in air-gapped environments.”
The entry point of the attack is the use of social engineering decoys, advertising free premium software as pirated software bundles, such as installers for office productivity suites, to trick users into downloading malware-containing executables.
The binary acts as the central nervous system of the infection, playing various roles such as installer, watchdog, payload manager, and cleaner to oversee various aspects of the attack lifecycle. It has a modular design that separates the monitoring features from the main payload responsible for cryptocurrency mining, privilege escalation, and persistence when it is terminated.
This flexibility, or mode switching, is achieved through command-line arguments –
- No parameters for environment validation and migration during the initial installation phase.
- 002 Re:0, to drop the main payload, start the miner, and enter the monitoring loop.
- 016, to restart the miner if it crashes.
- Barusu, to initiate a self-destruct sequence by terminating all malware components and deleting files.
Present within the malware is a logic bomb that operates by retrieving the local system time and comparing it with a predefined timestamp –
- If it is before December 23, 2025, the malware proceeds with installing the persistence module and launching the miner.
- If it is after December 23, 2025, the binary is launched with the “Barusu” argument, resulting in a “controlled decommissioning” of the transition.
The hard deadline of December 23, 2025 indicates that the campaign was designed to run indefinitely on compromised systems, with this date indicating either the end of surrogate command-and-control (C2) infrastructure, an anticipated shift in the cryptocurrency market, or a planned move to a new malware variant, Trelix said.
|
| Caption – Overall File List |
In the case of standard infection routines, the binary – which acts as a “self-contained carrier” for all malicious payloads – writes various components to disk, including a legitimate Windows Telemetry Service executable that is used to sideload miner DLLs.
Files have also been removed to ensure persistence, eliminate security tools, and execute the miner with elevated privileges using a legitimate but flawed driver (“WinRing0x64.sys”), part of a technology called Bring Your Own Vulnerable Driver (BYOVD). The driver is vulnerable to a vulnerability tracked as CVE-2020-14979 (CVSS score: 7.8) that allows privilege escalation.
The integration of this exploit into the
“A distinguishing feature of this XMerig variant is its aggressive proliferation capabilities,” Trelix said. “It does not simply rely on the user downloading the dropper; it actively attempts to spread to other systems via removable media. This transforms the malware from a simple Trojan into a worm.”
Evidence suggests that mining activity occurred sporadically throughout November 2025, before accelerating on December 8, 2025.
The cybersecurity company concluded, “This campaign serves as a powerful reminder that commodity malware is constantly innovating.” “By combining social engineering, legitimate software disguise, worm-like propagation, and kernel-level exploitation, the attackers have created a resilient and highly efficient botnet.”
|
| Caption – A “circular watchdog” topology to ensure persistence |
The disclosure comes as Darktrace said it has identified a malware artifact generated using a large language model (LLM) that exploits a React2Shell vulnerability (CVE-2025-55182, CVSS score: 10.0) to download a Python toolkit that gains access to drop the XMrig miner by running a shell command.
“Although the amount of money generated by the attacker in this case is relatively small, and cryptomining is far from a new technology, this campaign is proof that AI-based LLM has made cybercrime more accessible than ever before,” said researchers Nathaniel Bill and Nathaniel Jones.
“A single stimulation session with a model was enough for this attacker to create a working exploit framework and compromise over ninety hosts, demonstrating that the operational value of AI to adversaries should not be underestimated.”
According to the WhoisXML API, the attackers are still using a toolkit called ILOVEPOOP to scan exposed systems vulnerable to React2Shell, possibly in an effort to lay the groundwork for future attacks. Investigation activity has specifically targeted government, defense, finance, and industrial organizations in the US.
“What makes ILOVEPOOP unusual is the mismatch between the way it was constructed and the way it is used,” said Alex Ronquillo, vice president of product at WhoisXML API. “The code itself reflects expert-level knowledge of React Server components internals and employs attack techniques not found in any other documented React2Shell kit.”
“But the people who deployed it made basic operational mistakes when interacting with the WhoisXML API’s honeypot monitoring system – errors that a sophisticated attacker would typically avoid. In practice, this difference points to a division of labor.”
“We’re probably looking at two distinct groups: one that created the tool and another that is using it. We see this pattern in state-sponsored operations – a competent team develops the tooling, then hands it off to operators running large-scale scanning campaigns. Operators don’t need to understand how the tool works – they just need to run it.”
