Researchers have identified a new cryptojacking operation that uses pirated software bundles to infect systems with a customized XMRig miner. This sophisticated malware uses modular components to maximize mining efficiency and can spread through external drives to reach even air-gapped systems.
Security experts recently discovered a complex malware campaign that targets users looking for free versions of premium productivity software. These pirated installers act as a front for a multi-stage infection process designed to hijack computer resources for cryptocurrency mining. Once the malicious executable is launched, it functions as a comprehensive manager that handles everything from initial installation to long-term monitoring and eventual self-deletion.
The malware is built with a highly flexible architecture that allows it to change its behavior based on specific command-line arguments. In its initial phase, the program validates the system environment to ensure it can run without interference. Once established, it deploys the primary mining payload and enters a watchdog mode, which allows it to automatically restart the mining process if the user or antivirus software attempts to terminate it.
Beyond its mining capabilities, the software is designed to move laterally across networks and physical devices. By infecting external storage drives, the malware can jump from one computer to another, potentially bypassing the security measures of isolated or air-gapped environments. This worm-like behavior ensures the infection spreads far beyond the initial download, increasing the total processing power available to the attackers.
A unique feature of this specific campaign is the inclusion of a logic bomb tied to a hardcoded expiration date. The malware constantly checks the system time against a deadline of December 23, 2025. If the current date is before this mark, the malware continues its aggressive mining and persistence routines. However, once that date passes, the software is programmed to trigger a self-destruct sequence that removes all traces of the infection from the host machine.
Analysts believe this fixed deadline reflects the operational lifecycle of the attackers’ infrastructure. It is likely that the date corresponds with the expiration of their command-and-control servers or a planned transition to a more advanced version of the malware. By automating the cleanup process, the attackers reduce the risk of long-term detection and forensic analysis after the campaign has reached its peak utility.
Source: Wormable XMRig Campaign Deploys BYOVD Exploit And Time-Based Logic Bomb