Ethical Hacking News
A recently uncovered wormable cryptojacking campaign leverages vulnerabilities to deploy custom XMRig miners, utilizing a time-based kill switch and multi-stage infection chain for stealthy operation.
The malware utilizes Bring Your Own Vulnerable Driver (BYOVD) exploits and a time-based kill switch to deploy custom XMRig miners. The campaign spreads through pirated "premium" software installers that drop the XMRig-based miner. The malware abuses a legitimate but vulnerable driver called WinRing0x64.sys using the BYOVD technique, gaining kernel-level access and modifying CPU settings for improved mining performance. Payloads are embedded in the binary's resource section, disguised as legitimate software, and launched with a circular watchdog system to restart the miner aggressively if terminated. The malware includes a hardcoded temporal check (kill switch) that operates by retrieving the local system time and comparing it against a predetermined deadline (December 23, 2025). The threat actor appears to be testing the infection chain and persistence features on a limited number of systems before scaling up.
A recent discovery has shed light on a wormable cryptojacking campaign that leverages Bring Your Own Vulnerable Driver (BYOVD) exploits and a time-based kill switch to deploy custom XMRig miners. This malicious attack utilizes a multi-stage infection chain, focusing on boosting cryptocurrency hashrate while pushing infected systems to instability.
The campaign spreads through pirated "premium" software installers that drop the sophisticated XMRig-based miner. At its core is the Explorer.exe binary, designed as a persistent state machine that switches roles via command-line arguments (installer, watchdog, active infection, cleanup). This design separates logic from payloads, allowing for more efficient and resilient malware operation.
The malware abuses a legitimate but vulnerable driver called WinRing0x64.sys using the BYOVD technique. Instead of creating its own malicious driver, it loads this old, signed driver to gain kernel-level access (Ring 0 access). With this access, it modifies specific CPU settings (Model Specific Registers) to disable hardware prefetchers that interfere with Monero's RandomX mining algorithm. This reduction in cache conflicts boosts mining performance by 15% to 50%.
Payloads are embedded in the binary's resource section, decompressed, written to disk as hidden system files, and disguised as legitimate software. A circular watchdog system ensures components relaunch each other if terminated, aggressively restarting the miner and even killing the real Windows Explorer to disrupt users.
A significant discovery within the sub_14000D180 function is a hardcoded temporal check, serving as a "kill switch" or "time bomb." This mechanism operates by retrieving the local system time and comparing it against a predetermined deadline: December 23, 2025. The malware's behavior diverges based on this date.
The active phase (Pre-Dec 23, 2025) proceeds with the standard infection routine, installing persistence modules and launching the miner. In contrast, the expiration phase (Post-Dec 23, 2025) suggests a "fire-and-forget" lifecycle, possibly timed to coincide with the expiration of rented Command & Control (C2) infrastructure or a predicted shift in the cryptocurrency market.
This XMRig variant includes a worm module that spreads through USB drives, not just manual downloads. It quietly listens for new removable devices using Windows system notifications instead of constantly scanning for them. When a USB drive is inserted, the malware copies its explorer.exe file onto the device, hides it in a folder, and creates a malicious shortcut disguised as the drive icon.
The threat actor appears to be testing the infection chain and persistence features on a limited number of systems before scaling up. Mining pool data shows one active worker with a modest hashrate, with sporadic activity in November 2025 and a noticeable spike starting December 8, suggesting a fresh rollout or activation of new infected nodes.
This campaign serves as a potent reminder that commodity malware continues to innovate. By chaining together social engineering, legitimate software masquerades, worm-like propagation, and kernel-level exploitation, the attackers have created a resilient and highly efficient botnet. The use of the BYOVD technique highlights a critical weakness in modern OS security models: the trust placed in signed drivers.
Related Information:
https://www.ethicalhackingnews.com/articles/Wormable-XMRig-Campaign-Exploits-Vulnerabilities-for-Stealthy-Cryptojacking-ehn.shtml
https://securityaffairs.com/188388/malware/wormable-xmrig-campaign-leverages-byovd-and-timed-kill-switch-for-stealth.html
Published: Mon Feb 23 14:41:03 2026 by llama3.2 3B Q4_K_M
