BTC $71,807
2026 Bull Run Is Building Start trading with 5% OFF all fees
Sign Up Now
BTC $71,807
Bull Run 2026 | 5% Off Fees Open your Binance account today
Sign Up

Russian Users Targeted by SilentCryptoMiner Disguised as Internet Restriction Bypass Tool

Large-scale cryptocurrency miner campaign targets Russian users with SilentCryptoMiner

  • Kaspersky uncovered a cryptocurrency mining Malware campaign targeting Russian users by disguising malware as internet restriction bypass tools.
  • Over 2,000 victims were identified, with the malicious archive downloaded more than 40,000 times from the fake site gitrok[.]com.
  • Attackers used blackmail tactics against YouTubers and manipulated social media channels to spread SilentCryptoMiner, which uses process hollowing to inject mining code into system processes.

Russian internet users have become targets of a sophisticated cryptocurrency mining operation, according to security researchers. Kaspersky has identified a widespread malware campaign distributing SilentCryptoMiner malware disguised as tools that help bypass internet restrictions, specifically targeting Russian users looking to circumvent online limitations.

- Advertisement -

The campaign was discovered during Kaspersky’s investigation into the increasing abuse of Windows Packet Divert (WPD) tools by cybercriminals. Attackers distribute the malware in compressed archives with fake installation instructions that convince users to disable their security software, allowing the malicious code to execute undetected.

This social engineering technique has proven effective in deploying various malware families including NJRat, XWorm, Phemedrone, and DCRat. However, this particular campaign focuses specifically on cryptocurrency mining malware.

The attackers modified a popular GitHub tool, creating a malicious version that has already infected at least 2,000 Russian users. The true infection count could be significantly higher. In one case, a YouTube creator with 60,000 subscribers inadvertently helped spread the malware by including a link to the malicious archive in videos that accumulated 400,000 views before the link was removed.

Distribution channels for the malware included the fake website gitrok[.]com, where the infected archive was downloaded over 40,000 times. The attackers employed aggressive tactics, including blackmailing YouTubers with false copyright strike claims, threatening to shut down their channels unless they posted videos containing malicious links.

- Advertisement -

By December 2024, additional versions of the miner-infected tools were being distributed through both Telegram channels and YouTube accounts, including one with 340,000 subscribers.

The technical analysis revealed a multi-stage infection process. The malicious archives contained an additional executable with a modified start script designed to trick victims into disabling their antivirus protection. The first-stage malware consists of a Python-based loader packed with PyInstaller and sometimes obfuscated with PyArmor, which fetches a second-stage payload from hardcoded domains and executes it as t.py in a temporary folder. Notably, the payload was only accessible from Russian IP addresses, confirming the targeted nature of the campaign.

“The downloaded di.exe is a SilentCryptoMiner sample based on the open-source miner XMRig. This is a covert miner able to mine multiple cryptocurrencies (ETH, ETC, XMR, RTM and others) using various algorithms. For stealth, SilentCryptoMiner employs process hollowing to inject the miner code into a system process (in this case, dwm.exe),” explains the report published by Kaspersky.

SilentCryptoMiner includes several sophisticated features to avoid detection. It can pause mining operations when specific monitoring processes are running, verify it’s not executing in a virtualized environment, and check its file size to ensure it was launched by the intended loader. The malware’s configuration is Base64-encoded and AES-CBC encrypted, with updates fetched every 100 minutes from Pastebin.

“The topic of restriction bypass tools is being actively exploited to distribute malware. The above campaign limited itself to distributing a miner, but threat actors could start to use this vector for more complex attacks, including data theft and downloading other malware. This underscores once again that, while such tools may look enticing, they pose a serious threat to user data security,” concludes the Kaspersky report.

While this campaign appears to focus exclusively on Russian users, it demonstrates the evolving tactics of cryptocurrency mining malware distributors, who increasingly leverage legitimate-seeming tools and social media manipulation to deploy their payloads.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -
Ad
Altseason Is Loading. Don't watch from the sidelines.
SOL $90.51
DOGE $0.0963
LINK $9.02
SUI $1.00
5% off fees when you sign up
Start Trading
Ad
Pay Less on Every Trade. For Life.
$10K/mo volume Save $60/yr
$50K/mo volume Save $300/yr
$100K/mo volume Save $600/yr
5% off all trading fees when you sign up
Claim Your Discount

Latest News

Apple Stock Nears $323 Target Amid Rally Momentum

Apple stock trades above key moving averages, signaling strength toward the $323.35 target rangeTechnical...

France orders Polymarket block over illegal gambling

France’s National Gambling Authority (ANJ) ordered ISPs to block Polymarket, deeming prediction markets illegal...

ChartUp Solana Volume Bot: An All-in-One Toolkit Review

Solana teams often assemble testing workflows from unrelated scripts, wallets, dashboards, and venue-specific services....

ChartUp Solana Volume Booster: Random Trade Size Tests

A private Solana test becomes less informative when every swap repeats the same value....

WordPress core hit by zero-click RCE bug, patch now live

WordPress patched a pre-authentication remote code execution flaw in versions 6.9.5 and 7.0.2 on...

Must Read

The 10 Best Crypto Podcasts You Can’t Miss

Table of ContentsBest Cryptocurrency Podcasts To Add To Your Playing List1. The Money Movement2. The Crypto Conversation3. The Pomp Podcast4. What Bitcoin Did5. The...
Ad
Altseason Is Loading. These 4 coins are trending right now.
SOL $92.12
DOGE $0.0950
LINK $9.02
SUI $1.02
5% off spot fees when you sign up
Start Trading