Fake Video Players Spread Malware: Crypto Miner and RAT

Fake Video Players Spread Malware: Crypto Miner and RAT

Posted on By CWS

Cyber attackers have devised a new method to distribute malware without raising suspicion among users. By frequenting illegal streaming platforms, unsuspecting users encounter fraudulent alerts indicating their video player plugins require updates.

Clicking this deceptive update link leads to malware installation that facilitates cryptocurrency mining and grants hackers remote access to affected systems.

Discovery and Analysis of the Campaign

In April 2026, a cybersecurity incident involving a cryptocurrency miner on corporate computers revealed this malicious campaign. Investigations traced the issue back to unauthorized streaming websites that tricked users into executing a harmful ZIP file under the guise of a plugin update.

According to Securelist experts, this operation has roots extending to 2022, with the perpetrators consistently modifying their tactics to maintain effectiveness.

Scope and Impact of the Attack

The breadth of this campaign is considerable, with associated piracy sites receiving approximately 40 million visits in April 2026 alone. The largest platform attracted between 2.1 million and 27.4 million monthly visits, while smaller entities also recorded significant traffic.

This attack’s reach has expanded beyond movie and TV show sites to include digital book and movie libraries, broadening the pool of potential victims.

Technical Details and Malware Functionality

Upon engaging with the compromised sites, users are prompted with a message about outdated plugins. Following the update prompt downloads a ZIP file containing a seemingly legitimate installer and a hidden malicious DLL.

Executing this installer triggers the DLL, which integrates into a trusted process, effectively cloaking its activities. The malware’s architecture includes obfuscation techniques to hinder analysis and uses DNS tunneling to transmit system data to the attacker’s server.

This sophisticated malware package includes a modified SilentCryptoMiner that employs the victim’s hardware for cryptocurrency mining. Additionally, a Remote Access Trojan (RAT) module provides attackers with comprehensive control over infected systems.

Preventive Measures and Recommendations

Users are advised to avoid visiting pirated content sites, which serve as primary vectors for this threat. Security teams should monitor for unusual DNS activity, disguised services, and unauthorized code injections.

Regular updates to endpoint protection software and vigilance for unexpected files in system directories are crucial for early detection and mitigation of this malware.

To safeguard systems, firms should enhance network monitoring and educate employees about the risks of downloading plugins from unverified sources.

Cyber Security News Tags:, , , , , , , , ,

Related Posts

Threat Actors Weaponizing GitHub Accounts To Host Payloads, Tools and Amadey Malware Plug-Ins Threat Actors Weaponizing GitHub Accounts To Host Payloads, Tools and Amadey Malware Plug-Ins Cyber Security News
143,000 Malware Files Attacked Android and iOS Device Users in Q2 2025 143,000 Malware Files Attacked Android and iOS Device Users in Q2 2025 Cyber Security News
Malware Campaign Uses Fake Software to Deploy RATs and Miners Malware Campaign Uses Fake Software to Deploy RATs and Miners Cyber Security News
Cyber Conflict Escalates as Iran Faces Major Disruptions Cyber Conflict Escalates as Iran Faces Major Disruptions Cyber Security News
Lenovo IdeaCentre and Yoga Laptop BIOS Vulnerabilities Execute Arbitrary Code Lenovo IdeaCentre and Yoga Laptop BIOS Vulnerabilities Execute Arbitrary Code Cyber Security News
Metasploit Adds Exploit Module for Recently Disclosed FortiWeb 0-Day Vulnerabilities Metasploit Adds Exploit Module for Recently Disclosed FortiWeb 0-Day Vulnerabilities Cyber Security News