Advanced Cryptojacking Campaign Exploits Vulnerable Drivers and Logic Bombs to Deploy XMRig Miner
Cybersecurity experts have recently uncovered a sophisticated cryptojacking operation that leverages pirated software bundles to infiltrate systems and deploy a customized XMRig cryptocurrency miner. This campaign employs advanced techniques, including the Bring Your Own Vulnerable Driver (BYOVD) method and a time-based logic bomb, to maximize mining efficiency and ensure persistence.
The attack initiates through social engineering tactics, enticing users to download free versions of premium software, such as office productivity suites. These downloads are, in reality, malware-laden executables that serve multiple functions: installer, watchdog, payload manager, and cleaner. This modular design allows the malware to adapt its behavior based on specific command-line arguments:
– No parameter: Validates the environment and manages migration during the initial installation phase.
– 002 Re:0: Deploys the main payloads, initiates the miner, and enters a monitoring loop.
– 016: Restarts the miner process if it has been terminated.
– barusu: Triggers a self-destruct sequence, terminating all malware components and deleting associated files.
A notable feature of this malware is its embedded logic bomb, which checks the system’s local time against a predefined date:
– Before December 23, 2025: The malware installs persistence modules and launches the miner.
– After December 23, 2025: The malware executes the barusu command, leading to a controlled decommissioning of the infection.
This hardcoded deadline suggests that the campaign was designed to operate indefinitely on compromised systems, with the specified date potentially indicating the expiration of rented command-and-control (C2) infrastructure, anticipated changes in the cryptocurrency market, or a planned transition to a new malware variant.
During the standard infection process, the malware acts as a comprehensive carrier for all malicious payloads. It writes various components to the disk, including a legitimate Windows Telemetry service executable used to sideload the miner DLL. Additional files are dropped to ensure persistence, disable security tools, and execute the miner with elevated privileges. This is achieved by exploiting a legitimate but vulnerable driver (WinRing0x64.sys) through the BYOVD technique. This driver is susceptible to a vulnerability (CVE-2020-14979) that allows for privilege escalation.
By integrating this exploit into the XMRig miner, the attackers gain greater control over the CPU’s low-level configuration, enhancing mining performance (specifically, the RandomX hashrate) by 15% to 50%.
A distinguishing characteristic of this XMRig variant is its aggressive propagation capability. It doesn’t rely solely on user downloads of the dropper; instead, it actively attempts to spread to other systems via removable media. This worm-like behavior enables lateral movement, even in air-gapped environments, significantly increasing the malware’s reach and impact.
Evidence indicates that mining activity associated with this campaign occurred sporadically throughout November 2025, with a notable spike on December 8, 2025. This timeline aligns with the malware’s embedded logic bomb, suggesting a strategic deployment and operational period.
This campaign serves as a potent reminder that commodity malware continues to evolve and innovate. By combining social engineering, masquerading as legitimate software, worm-like propagation, and kernel-level exploitation, the attackers have created a resilient and highly efficient botnet.
The disclosure of this campaign coincides with reports from Darktrace, which identified malware artifacts likely generated using large language models (LLMs). These artifacts exploit the React2Shell vulnerability (CVE-2025-55182) to download a Python toolkit, which then deploys an XMRig miner by executing shell commands.
While the financial gains from this specific attack are relatively low, and cryptomining is not a new technique, this campaign demonstrates that AI-based LLMs have made cybercrime more accessible than ever. A single session with an AI model was sufficient for the attacker to generate a functioning exploit framework and compromise over ninety hosts, underscoring the operational value of AI for adversaries.
Additionally, attackers have been utilizing a toolkit dubbed ILOVEPOOP to scan for exposed systems still vulnerable to React2Shell. This activity appears to be laying the groundwork for future attacks, with particular targeting of government, defense, finance, and industrial organizations in the U.S.
In summary, this advanced cryptojacking campaign highlights the increasing sophistication of cyber threats. By leveraging vulnerable drivers, time-based logic bombs, and worm-like propagation methods, attackers can create resilient and efficient botnets capable of significant disruption. It is imperative for organizations to remain vigilant, regularly update their systems, and educate users about the risks associated with downloading pirated software to mitigate such threats.
