← Back to Daily Briefing

A long-running cybercrime campaign, active since at least 2022, leverages a highly customized fork of the SilentCryptoMiner malware to target users of high-traffic piracy platforms, including digital libraries and video streaming services. The attack vector utilizes social engineering through deceptive "plugin updates" or "browser patches" to facilitate DLL side-loading. The technical execution chain involves a stack overflow via a 'SmashStack' function, which triggers Return-Oriented Programming (ROP) chains to enable the decryption and reflective loading of a hybrid payload. This payload combines a cryptocurrency miner (targeting CPU/GPU) with a Remote Access Trojan (RAT) for persistent Command and Control (C2) access. The malware employs sophisticated evasion techniques, including the deletion of Microsoft's Malicious Software Removal Tool (mrt.exe), the addition of Windows Defender exclusions, and a dedicated watchdog module to protect the miner's integrity. C2 communications are obfuscated using AES-CBC encryption and DNS tunneling disguised as legitimate Microsoft telemetry, with domains generated via a MurmurHash64-based Domain Generation Algorithm (DGA).

  • Campaign Overview: Scope and Scale of Impact

    • Target Demographic: Users of illegal digital libraries and movie/TV streaming services who are susceptible to social engineering involving "media player updates."
    • Temporal Reach: The campaign has maintained sustained operational activity for over four years, with documented activity spanning from 2022 through May 2026.
    • Traffic Volume: The scale of the campaign is massive, with an estimated 40 million visits to infected websites occurring in April 2026 alone.
    • Platform Penetration: Infected streaming sites reached up to 27.4 million monthly users, while digital library sites saw monthly user counts ranging from 11,000 to 4.7 million.
  • Attack Vector: Technical Infection Lifecycle

    • Initial Access: Attackers deploy fake "Video Player Plugin Updates" or "Browser Crash" pages on high-traffic piracy domains to prompt user interaction.
    • Payload Delivery: Victims are tricked into downloading a ZIP archive containing a legitimate executable (e.g., HLS Installer.874.exe) and a malicious DLL.
    • Exploitation Mechanics: The malware utilizes DLL side-loading to trigger a stack overflow via the 'SmashStack' function.
    • Advanced Execution: The resulting ROP (Return-Oriented Programming) chain facilitates the decryption and reflective loading of the primary malicious module into memory.
  • Malware Profile: Hybrid RAT and Miner Functionality

    • Dual-Purpose Payload: The core module functions as both a SilentCryptoMiner fork (utilizing both CPU and GPU) and a Remote Access Trojan (RAT).
    • Process Hollowing: The miner is executed via process hollowing, often hiding its activity within legitimate processes like explorer.exe.
    • C2 Command Set: The RAT provides attackers with four primary command capabilities: arbitrary command execution, reflexive PE execution in explorer.exe, shellcode execution, and exit commands.
    • Operational Objectives: While primary revenue is derived from unauthorized cryptocurrency mining, the RAT provides the threat actor with persistent, arbitrary control over the victim's machine.
  • Evasion and Persistence: Defensive Neutralization

    • Endpoint Defense Sabotage: The malware explicitly adds Windows Defender exclusions and deletes mrt.exe (Microsoft's Malicious Software Removal Tool) to prevent detection.
    • System Stability Manipulation: The threat actor disables system hibernation and sleep modes to ensure the miner can run continuously without interruption.
    • Persistence Mechanisms: Malicious persistence is established via the registration of a 'GoogleUpdateTaskMachineQC' service and modifications to the HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key.
    • Integrity Watchdog: A specialized module monitors the miner's service integrity; if tampering is detected, it attempts to restore encrypted files directly from memory.
  • Network Infrastructure: C2 and Communication Obfuscation

    • DNS Tunneling: Initial permission checks and heartbeat signals are conducted via DNS queries designed to mimic legitimate microsoft.com traffic.
    • Domain Generation Algorithm (DGA): The malware utilizes a MurmurHash64-based DGA, using the current date as a seed to generate rotating C2 domains.
    • Encryption Standards: C2 communications are secured using AES-CBC encryption with a hardcoded key: 0123456789abcdef0123456789abcdef.
    • Known C2 Domains: Active infrastructure includes urush1bar4.online, 5d14vnfb.space, r7mvjl67.space, zgj1tam9.space, jeaw520i.space, qdmagva5.space, m4yuri.online, and kristina.quest.
  • Indicators of Compromise (IoCs) and Defensive Actions

    • File Hashes/Names: Monitor for the deployment of HLS Installer.874.exe in user-writable directories.
    • Network Indicators: Block the IP address 107.172.212.235 and monitor for anomalous DNS traffic masquerading as Microsoft telemetry.
    • Registry/Service Monitoring: Audit for the creation of 'GoogleUpdateTaskMachineQC' and unexpected changes to Windows Run keys.
    • Behavioral Detection: Focus on detecting ROP chain activity and reflective PE loading, particularly when originating from unexpected DLL side-loading events.

Related posts

  1. Malware News — Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years
  2. Zero
  3. Security-portal
  4. Reddit
  5. Securelist
  6. Scibit
  7. Cybermap
  8. Pcmag
  9. gbhackers.com — SideCopy Deploys Persistent XenoRAT Against Afghanistan Finance Ministry
  10. feeds.feedburner.com — Pakistan-Linked SideCopy Targets Afghanistan Finance Ministry with Xeno RAT
  11. Cyberpress
  12. Scworld
  13. Exchange
  14. Ground
  15. Therecord
  16. Dark Reading — Pakistan Spies on Afghan Finance Ministry With Xeno RAT

LINK COPIED TO CLIPBOARD