Skip to content

XMRig cryptominer distributed via trojanised game torrents

  • by
  • 3 min read

A large-scale cyberattack campaign, dubbed StaryDobry, was launched on December 31, leveraging the season’s increased torrent activity to distribute the XMRig cryptominer using trojanised versions of popular games to propagate the malware. The attack persisted for a month and infected users worldwide, including in Russia, Brazil, Germany, Belarus, and Kazakhstan.

The cybercriminals behind the campaign used sophisticated techniques to evade detection. The malware was embedded in repackaged versions of games such as BeamNG.drive, Garry’s Mod, Dyson Sphere Program, Universe Sandbox, and Plutocracy, all distributed via torrent sites.

These malicious game installers were uploaded as early as September 2024, indicating a well-planned operation.

Once executed, the trojanised installer initiated a multi-stage infection chain to avoid antivirus detection. It first extracted and decrypted files using AES encryption, leveraging various anti-debugging methods to evade analysis.

Researchers also discovered that the malware gathered system information, including machine ID, user details, and hardware specifications, which was then encoded and sent to the attackers’ command-and-control (C2) servers.

Twitter confirms third-party involvement in crypto hacking scams on the site
The malware is designed to alter its performance depending on the victim’s system dynamically.

The infection process involved multiple layers. Firstly, the dropper was used to decrypt and extract malicious files while ensuring the malware wasn’t being executed in a controlled environment. The decrypted payload disguised itself by mimicking legitimate Windows DLL files, complicating detection by security tools. After this, the malware connected to C2 servers for additional payload downloads. It is here that the XMRig Miner was used.

Furthermore, the attacks obfuscated the malware’s presence by modifying system registry entries, altering timestamps, and mimicking legitimate Windows processes. For persistence, the malware uses scheduled tasks disguised as legitimate system processes, ensuring its execution even after a reboot.

At the final stage, the altered version of XMRig Miner is installed. The miner is designed to run covertly in the background and is configured to dynamically adjust to CPU usage based on system configurations. The miner was not connected to a public pool but instead to a privately controlled mining infrastructure.

“There are no clear links between this campaign and any previously known crimeware actors, making attribution difficult. However, the use of Russian language in the PDB suggests the campaign may have been developed by a Russian-speaking actor,” researchers said.

In the News: Over 100 AWS keys found on public GitHub repositories

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

Related Reads

This is an image of spyware malware cybersecurity privacy featured 31

Threat actors deploy FrigidStealer on Macs via web inject attacks

Photo: sundry photography / shutterstock. Com

Over 100 AWS keys found on public GitHub repositories

This is an image of scam call featured 1

Noida-based call center operation dupes victims of $1.4 million

This is an image of nvidia gpu compared 100

Concerns mount over outdated Nvidia A100 GPUs in India’s AI Mission

  • by
  • In News, AI
Illustration: cinemato

Two Estonians found guilty of $577 million crypto ponzi scheme

This is an image of signal featured 123

X blocks Signal.me links citing safety concerns

>