{"id":43770,"date":"2026-02-19T00:48:43","date_gmt":"2026-02-18T16:48:43","guid":{"rendered":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/02\/19\/cryptojacking-campaign-exploits-driver-to-boost-monero-mining-infosecurity-magazine\/"},"modified":"2026-02-19T00:48:43","modified_gmt":"2026-02-18T16:48:43","slug":"cryptojacking-campaign-exploits-driver-to-boost-monero-mining-infosecurity-magazine","status":"publish","type":"post","link":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/02\/19\/cryptojacking-campaign-exploits-driver-to-boost-monero-mining-infosecurity-magazine\/","title":{"rendered":"Cryptojacking Campaign Exploits Driver to Boost Monero Mining – Infosecurity Magazine"},"content":{"rendered":"

A newly identified cryptojacking campaign that spreads through pirated software installers has been uncovered by researchers, revealing a multi-stage infection chain designed for persistence, stealth and maximum cryptocurrency mining output.<\/p>\n

The operation, discovered by security firm Trellix, centres on a customised XMRig miner and a controller component that maintains long-term access to infected systems.<\/p>\n

Unlike earlier browser-based cryptojacking schemes<\/a>, this campaign deploys system-level malware. It relies on deceptive installers masquerading as office productivity software, luring users with free premium applications.<\/p>\n

Once executed, the dropper installed a primary controller named Explorer.exe in the user directory and initiated a staged deployment of mining and persistence components.<\/p>\n

Modular Design Enhances Resilience<\/strong><\/h3>\n

The controller functioned as a state-driven orchestrator rather than a simple loader. Depending on command-line arguments, it could install, monitor, relaunch or remove components.<\/p>\n

Trellix found references to the anime Re:Zero – Starting Life in Another World<\/em> embedded in the code, including a "002 Re:0" parameter that activates the main infection mode and a "barusu" argument that triggered a structured cleanup routine.<\/p>\n

Read more on cryptojacking threats: New Cryptojacking Malware Targets Docker with Novel Mining Technique<\/a><\/em><\/p>\n

A hardcoded expiration date of December 23, 2025, acted as a time-based kill switch. Before that date, the malware operated normally. Afterward, it initiated self-removal procedures, suggesting a finite campaign lifecycle.<\/p>\n

To maintain persistence, the malware deployed multiple watchdog processes disguised as legitimate software, including fake Microsoft Edge and WPS executables.<\/p>\n

If one component was terminated, another relaunched it within seconds. In some cases, the malware attempted to terminate the legitimate Windows Explorer shell to disrupt user activity and regain control.<\/p>\n

Kernel Exploit Boosts Hashrate<\/strong><\/h3>\n

A notable feature was the use of a vulnerable signed driver, WinRing0x64.sys, associated with CVE-2020-14979.<\/p>\n

By loading this driver, the attackers gained kernel-level access and modified CPU registers to disable hardware prefetchers. This optimization reportedly increased Monero RandomX mining performance by 15% to 50%.<\/p>\n

The campaign connected to the Kryptex mining pool at xmr-sg.kryptex.network:8029 and used a Monero wallet for payouts. At the time of analysis, researchers observed one active worker generating approximately 1.24 KH\/s, with mining activity increasing from December 8, 2025.<\/p>\n

"This campaign serves as a potent reminder that commodity malware continues to innovate," Trellix warned<\/a>. <\/p>\n

"As long as legacy drivers with known vulnerabilities remain validly signed and loadable, attackers will continue to use them as keys to the kingdom, bypassing the sophisticated protections of Ring 3 to operate with impunity in the Kernel."<\/p>\n

The company advised organisations to enable Microsoft's vulnerable driver blocklist, restrict USB device access and block outbound traffic to known mining pools.<\/p>\n","protected":false},"excerpt":{"rendered":"

A newly identified cryptojacking campaign that spreads […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-43770","post","type-post","status-publish","format-standard","hentry","category--infosecurity-magazine"],"_links":{"self":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/posts\/43770","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/comments?post=43770"}],"version-history":[{"count":0,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/posts\/43770\/revisions"}],"wp:attachment":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/media?parent=43770"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/categories?post=43770"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/tags?post=43770"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}