Cybersecurity researchers at Trellix have disclosed details of a new cryptojacking campaign that leverages pirated software bundles to deploy a customized XMRig miner on compromised systems, combining social engineering with worm-like propagation and kernel-level exploitation.
According to Trellix, the attack begins with social engineering lures promoting free premium software, including pirated office productivity suite installers. Unsuspecting users who download and execute the trojanized bundles inadvertently launch a malware-laced binary, which is acting as installer, watchdog, payload manager, and cleaner. The malware contains a logic bomb linked to a hardcoded deadline of December 23, 2025. Researchers believe this date may correspond to the expiration of rented command-and-control (C&C) infrastructure, anticipated cryptocurrency market shifts, or a planned migration to a new malware variant.
The dropper writes multiple components to disk, including a legitimate Windows Telemetry service executable used to sideload a malicious miner DLL. It also deploys persistence mechanisms, terminates security tools, and executes the miner with elevated privileges using a legitimate, vulnerable driver (WinRing0x64.sys) in a bring-your-own-vulnerable-driver (BYOVD) attack.
The driver flaw, tracked as CVE-2020-14979, enables privilege escalation. By integrating the exploit directly into the XMRig miner, attackers gain low-level control over CPU configurations, boosting RandomX mining performance by an estimated 15% to 50%.
The malware attempts to spread laterally via removable media, allowing it to spread to air-gapped environments.
“This campaign serves as a potent reminder that commodity malware continues to innovate. By chaining together social engineering, legitimate software masquerades, worm-like propagation, and kernel-level exploitation, the attackers have created a resilient and highly efficient botnet,” the researchers said.