Cybercriminals are actively spreading CoinMiner malware by USB drives, concentrating on workstations throughout South Korea to mine Monero cryptocurrency.
This ongoing marketing campaign makes use of misleading shortcut information and hidden folders to trick customers into executing malicious scripts with out their data.
The assault leverages a mixture of VBS, BAT, and DLL information that work collectively to put in XMRig, a preferred cryptocurrency mining device, on contaminated methods.
The malware hides inside a folder named “sysvolume” on contaminated USB drives, displaying solely a shortcut file labeled “USB Drive.lnk” to the consumer.
When victims double-click this file, it triggers a series of malicious operations whereas concurrently opening a folder containing their authentic information.
Flowchart (Supply – ASEC)
This enables customers to entry their knowledge usually, making the an infection troublesome to detect. ASEC safety researchers recognized this malware pressure of their ongoing evaluation of USB-based threats.
The attackers have refined their methods since earlier variations documented in February 2025, with Mandiant categorizing these threats as DIRTYBULK and CUTFAIL of their July 2025 report.
The an infection begins when customers execute the misleading shortcut file, which runs a VBS script with a randomly generated filename similar to “u566387.vbs”.
This script then triggers BAT malware that performs a number of essential operations, together with including Home windows Defender exclusion paths and making a folder with an area in its identify at “C:Home windows System32” to evade detection.
Information contained in the contaminated USB (Supply – ASEC)
The BAT script copies and renames the dropper malware as “printui.dll” and hundreds it by the respectable “printui.exe” program.
An infection Mechanism and Persistence Ways
The dropper part establishes persistence by registering a DLL with the DcomLaunch service.
Malware set up scripts (Supply – ASEC)
As soon as registered, the malware designated as PrintMiner adjusts system energy settings to forestall sleep mode and communicates with command-and-control servers to obtain encrypted payloads.
The decrypted information embrace XMRig configured to mine Monero utilizing the next parameters:-
-o r2.hashpoolpx[.]internet:443 –tls –max-cpu-usage=50
The malware displays working processes and terminates XMRig when customers launch video games or course of monitoring instruments like Course of Explorer, Process Supervisor, and System Informer.
Course of tree (Supply – ASEC)
This evasion approach helps the miner keep away from detection whereas decreasing efficiency impacts that may alert customers. USB-based assaults stay efficient when mixed with social engineering.
Observe us on Google Information, LinkedIn, and X to Get Extra Prompt Updates, Set CSN as a Most popular Supply in Google.
