Cybersecurity experts have revealed details of an advanced cryptojacking operation that leverages pirated software bundles to deploy a custom XMRig miner on infected systems. This campaign, carefully analyzed by Trellix researchers, showcases a complex infection strategy aimed at maximizing cryptocurrency mining efficiency, which can often destabilize the victim’s system.
Innovative Tactics and Spread
The malicious campaign begins with social engineering tactics, luring users with the promise of free premium software. These pirated bundles, including popular office software installers, deceive users into downloading malware-laden files. The infection is orchestrated by a binary that functions as the attack’s central control, managing installation, monitoring, and various attack phases.
This binary’s modular architecture allows for flexible execution of tasks such as cryptocurrency mining, privilege escalation, and ensuring persistence, even if some components are disabled. Its worm-like behavior enables it to spread through external storage devices and across air-gapped environments, vastly increasing its reach.
Technical Exploits and Persistence
The malware employs a bring your own vulnerable driver (BYOVD) technique, utilizing a legitimate but flawed driver known as ‘WinRing0x64.sys’ to gain elevated privileges. This vulnerability, tracked as CVE-2020-14979, is exploited to enhance mining performance by up to 50%.
A distinctive feature of this variant is its aggressive propagation capability, transforming it from a simple Trojan into a sophisticated worm. The campaign’s activity was notable throughout November 2025, culminating in a significant increase by December 8, 2025, illustrating its disruptive potential.
The Role of AI in Cybercrime
The campaign also highlights the growing role of AI in cybercrime. Darktrace identified malware likely crafted using large language models (LLMs), exploiting the React2Shell vulnerability to deploy an XMRig miner. This demonstrates how AI tools are simplifying the creation of effective exploit frameworks.
Further investigations revealed a toolkit named ILOVEPOOP, which scans for systems vulnerable to React2Shell. Notably, this activity targeted sectors such as government and finance, suggesting deliberate strategic planning. Despite the expertise in developing such tools, the execution has been marred by operational errors, hinting at a division of labor between developers and operators.
This sophisticated cryptojacking campaign underscores the evolving landscape of malware threats, where traditional techniques are being enhanced by modern technologies such as AI. As attackers continue to innovate, cybersecurity defenses must adapt to these emerging challenges to protect valuable digital assets.
