<a href="https://delimiter.online/blog/apt28-webhook-malware/” title=”cybersecurity”>cybersecurity researchers have disclosed a new, sophisticated cryptojacking campaign that uses pirated software as a lure. The operation deploys a custom XMRig cryptocurrency miner on compromised systems, employing a wormable spreading mechanism, a driver-based exploit, and a time-based logic bomb to maximize illicit profits.
Campaign Mechanics and Infection Chain
The campaign begins with malicious actors distributing trojanized installers for popular pirated software, including games and productivity tools. When a user executes the installer, a multi-stage infection process is initiated. The initial dropper is responsible for establishing persistence on the host and downloading the next stage of malware.
This subsequent payload includes a Bring Your Own Vulnerable Driver (BYOVD) exploit. This technique involves delivering a legitimate but outdated and vulnerable driver file to the target system. The attackers then use the driver’s known security flaws to gain high-level kernel privileges, effectively disabling security software and allowing deeper system access.
Wormable Spreading and Evasion
A key feature of this campaign is its wormable capability. Once a machine is infected, the malware scans the local network for other vulnerable Windows systems to infect, attempting to propagate laterally without user interaction. This significantly increases the campaign’s reach within corporate or home networks.
Further analysis revealed the use of a time-based logic bomb within the malware’s code. This component ensures the cryptocurrency mining operation only activates during specific hours, likely to avoid detection by users who might notice system slowdowns during their active working periods. The primary payload is a customized version of the XMRig miner, configured to mine Monero (XMR).
Impact and Sophistication
Researchers note that the entire infection chain prioritizes achieving the maximum possible mining hashrate. The combination of privilege escalation via BYOVD, disabling security tools, and careful timing of mining activity demonstrates a high degree of planning. This often results in significant system performance degradation and instability for the victim, as computing resources are hijacked for the attackers’ financial gain.
The use of pirated software bundles as an initial vector is a common and effective social engineering tactic, capitalizing on users seeking to avoid licensing fees. The campaign’s operators have shown a clear focus on operational security and persistence to ensure long-term, profitable mining operations.
Industry Response and Mitigation
Security firms are releasing indicators of compromise (IOCs) and detection signatures to help organizations identify and block this threat. The disclosure highlights the ongoing evolution of cryptojacking schemes, which are becoming more stealthy and destructive. Experts recommend that users obtain software only from official vendors and maintain updated security solutions with behavioral detection capabilities to guard against driver-based exploits.
Looking ahead, researchers anticipate that the actors behind this campaign will continue to modify their tactics. Law enforcement and cybersecurity agencies are expected to monitor for new variants and may attempt to disrupt the campaign’s command-and-control infrastructure. Organizations are advised to review endpoint detection logs for signs of suspicious driver loads and unexpected network scanning activity originating from internal hosts.
Source: Adapted from cybersecurity research disclosures.
