A long-running cybercrime campaign, active since at least 2022, leverages a highly customized fork of the SilentCryptoMiner malware to target users of high-traffic piracy platforms, including digital libraries and video streaming services. The attack vector utilizes social engineering through deceptive "plugin updates" or "browser patches" to facilitate DLL side-loading. The technical execution chain involves a stack overflow via a 'SmashStack' function, which triggers Return-Oriented Programming (ROP) chains to enable the decryption and reflective loading of a hybrid payload. This payload combines a cryptocurrency miner (targeting CPU/GPU) with a Remote Access Trojan (RAT) for persistent Command and Control (C2) access. The malware employs sophisticated evasion techniques, including the deletion of Microsoft's Malicious Software Removal Tool (mrt.exe), the addition of Windows Defender exclusions, and a dedicated watchdog module to protect the miner's integrity. C2 communications are obfuscated using AES-CBC encryption and DNS tunneling disguised as legitimate Microsoft telemetry, with domains generated via a MurmurHash64-based Domain Generation Algorithm (DGA).
-
Campaign Overview: Scope and Scale of Impact
- Target Demographic: Users of illegal digital libraries and movie/TV streaming services who are susceptible to social engineering involving "media player updates."
- Temporal Reach: The campaign has maintained sustained operational activity for over four years, with documented activity spanning from 2022 through May 2026.
- Traffic Volume: The scale of the campaign is massive, with an estimated 40 million visits to infected websites occurring in April 2026 alone.
- Platform Penetration: Infected streaming sites reached up to 27.4 million monthly users, while digital library sites saw monthly user counts ranging from 11,000 to 4.7 million.
-
Attack Vector: Technical Infection Lifecycle
- Initial Access: Attackers deploy fake "Video Player Plugin Updates" or "Browser Crash" pages on high-traffic piracy domains to prompt user interaction.
- Payload Delivery: Victims are tricked into downloading a ZIP archive containing a legitimate executable (e.g.,
HLS Installer.874.exe) and a malicious DLL. - Exploitation Mechanics: The malware utilizes DLL side-loading to trigger a stack overflow via the 'SmashStack' function.
- Advanced Execution: The resulting ROP (Return-Oriented Programming) chain facilitates the decryption and reflective loading of the primary malicious module into memory.
-
Malware Profile: Hybrid RAT and Miner Functionality
- Dual-Purpose Payload: The core module functions as both a SilentCryptoMiner fork (utilizing both CPU and GPU) and a Remote Access Trojan (RAT).
- Process Hollowing: The miner is executed via process hollowing, often hiding its activity within legitimate processes like
explorer.exe. - C2 Command Set: The RAT provides attackers with four primary command capabilities: arbitrary command execution, reflexive PE execution in
explorer.exe, shellcode execution, and exit commands. - Operational Objectives: While primary revenue is derived from unauthorized cryptocurrency mining, the RAT provides the threat actor with persistent, arbitrary control over the victim's machine.
-
Evasion and Persistence: Defensive Neutralization
- Endpoint Defense Sabotage: The malware explicitly adds Windows Defender exclusions and deletes
mrt.exe(Microsoft's Malicious Software Removal Tool) to prevent detection. - System Stability Manipulation: The threat actor disables system hibernation and sleep modes to ensure the miner can run continuously without interruption.
- Persistence Mechanisms: Malicious persistence is established via the registration of a 'GoogleUpdateTaskMachineQC' service and modifications to the
HKCU\Software\Microsoft\Windows\CurrentVersion\Runregistry key. - Integrity Watchdog: A specialized module monitors the miner's service integrity; if tampering is detected, it attempts to restore encrypted files directly from memory.
- Endpoint Defense Sabotage: The malware explicitly adds Windows Defender exclusions and deletes
-
Network Infrastructure: C2 and Communication Obfuscation
- DNS Tunneling: Initial permission checks and heartbeat signals are conducted via DNS queries designed to mimic legitimate
microsoft.comtraffic. - Domain Generation Algorithm (DGA): The malware utilizes a MurmurHash64-based DGA, using the current date as a seed to generate rotating C2 domains.
- Encryption Standards: C2 communications are secured using AES-CBC encryption with a hardcoded key:
0123456789abcdef0123456789abcdef. - Known C2 Domains: Active infrastructure includes
urush1bar4.online,5d14vnfb.space,r7mvjl67.space,zgj1tam9.space,jeaw520i.space,qdmagva5.space,m4yuri.online, andkristina.quest.
- DNS Tunneling: Initial permission checks and heartbeat signals are conducted via DNS queries designed to mimic legitimate
-
Indicators of Compromise (IoCs) and Defensive Actions
- File Hashes/Names: Monitor for the deployment of
HLS Installer.874.exein user-writable directories. - Network Indicators: Block the IP address
107.172.212.235and monitor for anomalous DNS traffic masquerading as Microsoft telemetry. - Registry/Service Monitoring: Audit for the creation of 'GoogleUpdateTaskMachineQC' and unexpected changes to Windows Run keys.
- Behavioral Detection: Focus on detecting ROP chain activity and reflective PE loading, particularly when originating from unexpected DLL side-loading events.
- File Hashes/Names: Monitor for the deployment of
Related posts
- Malware News — Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years
- Zero
- Security-portal
- Securelist
- Scibit
- Cybermap
- Pcmag
- gbhackers.com — SideCopy Deploys Persistent XenoRAT Against Afghanistan Finance Ministry
- feeds.feedburner.com — Pakistan-Linked SideCopy Targets Afghanistan Finance Ministry with Xeno RAT
- Cyberpress
- Scworld
- Exchange
- Ground
- Therecord
- Dark Reading — Pakistan Spies on Afghan Finance Ministry With Xeno RAT