- Kaspersky uncovered a cryptocurrency mining Malware campaign targeting Russian users by disguising malware as internet restriction bypass tools.
- Over 2,000 victims were identified, with the malicious archive downloaded more than 40,000 times from the fake site gitrok[.]com.
- Attackers used blackmail tactics against YouTubers and manipulated social media channels to spread SilentCryptoMiner, which uses process hollowing to inject mining code into system processes.
Russian internet users have become targets of a sophisticated cryptocurrency mining operation, according to security researchers. Kaspersky has identified a widespread malware campaign distributing SilentCryptoMiner malware disguised as tools that help bypass internet restrictions, specifically targeting Russian users looking to circumvent online limitations.
The campaign was discovered during Kaspersky’s investigation into the increasing abuse of Windows Packet Divert (WPD) tools by cybercriminals. Attackers distribute the malware in compressed archives with fake installation instructions that convince users to disable their security software, allowing the malicious code to execute undetected.
This social engineering technique has proven effective in deploying various malware families including NJRat, XWorm, Phemedrone, and DCRat. However, this particular campaign focuses specifically on cryptocurrency mining malware.
The attackers modified a popular GitHub tool, creating a malicious version that has already infected at least 2,000 Russian users. The true infection count could be significantly higher. In one case, a YouTube creator with 60,000 subscribers inadvertently helped spread the malware by including a link to the malicious archive in videos that accumulated 400,000 views before the link was removed.
Distribution channels for the malware included the fake website gitrok[.]com, where the infected archive was downloaded over 40,000 times. The attackers employed aggressive tactics, including blackmailing YouTubers with false copyright strike claims, threatening to shut down their channels unless they posted videos containing malicious links.
By December 2024, additional versions of the miner-infected tools were being distributed through both Telegram channels and YouTube accounts, including one with 340,000 subscribers.
The technical analysis revealed a multi-stage infection process. The malicious archives contained an additional executable with a modified start script designed to trick victims into disabling their antivirus protection. The first-stage malware consists of a Python-based loader packed with PyInstaller and sometimes obfuscated with PyArmor, which fetches a second-stage payload from hardcoded domains and executes it as t.py in a temporary folder. Notably, the payload was only accessible from Russian IP addresses, confirming the targeted nature of the campaign.
“The downloaded di.exe is a SilentCryptoMiner sample based on the open-source miner XMRig. This is a covert miner able to mine multiple cryptocurrencies (ETH, ETC, XMR, RTM and others) using various algorithms. For stealth, SilentCryptoMiner employs process hollowing to inject the miner code into a system process (in this case, dwm.exe),” explains the report published by Kaspersky.
SilentCryptoMiner includes several sophisticated features to avoid detection. It can pause mining operations when specific monitoring processes are running, verify it’s not executing in a virtualized environment, and check its file size to ensure it was launched by the intended loader. The malware’s configuration is Base64-encoded and AES-CBC encrypted, with updates fetched every 100 minutes from Pastebin.
“The topic of restriction bypass tools is being actively exploited to distribute malware. The above campaign limited itself to distributing a miner, but threat actors could start to use this vector for more complex attacks, including data theft and downloading other malware. This underscores once again that, while such tools may look enticing, they pose a serious threat to user data security,” concludes the Kaspersky report.
While this campaign appears to focus exclusively on Russian users, it demonstrates the evolving tactics of cryptocurrency mining malware distributors, who increasingly leverage legitimate-seeming tools and social media manipulation to deploy their payloads.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Musk Attributes Major X Platform Outage to “Massive Cyberattack” as Bitcoin Falls Below $80,000
- Sony Celebrates Aibo Robot Dog’s 25th Anniversary with Free Soulbound NFT Collection on Soneium Blockchain
- SEC Acting Chair Uyeda Seeks to Reverse Crypto Regulation Proposal
- REX-Osprey Files for First MOVE Token ETF as Movement Network Launches Public Mainnet Beta
- UK Treasury Rules Out Bitcoin Reserve, Cites Volatility Concerns
