Pierluigi Paganini
March 10, 2025
Kaspersky researchers discovered a mass malware campaign spreading SilentCryptoMiner by disguising it as a tool to bypass internet restrictions. While investigating the increased use of Windows Packet Divert (WPD) tools by crooks to distribute malware under this pretense, the researchers spotted the campaign.
Threat actors distribute malware in archives with fake installation instructions, urging users to disable security tools to allow their execution. Using this social engineering trick, threats like stealers, RATs, Trojans, and crypto miners can persist undetected. Common malware families include NJRat, XWorm, Phemedrone, and DCRat.
The malware campaign is infecting users with a miner disguised as a DPI bypass tool. The attackers modified a popular tool that is available on GitHub. Kaspersky already identified over 2,000 victims in Russia, but the true number may be higher. A YouTuber with 60,000 subscribers unknowingly helped spread the malware, linking to a malicious archive in videos that amassed 400,000 views before the link was removed.
Attackers used the malicious site gitrok[.]com to distribute an infected archive, which had over 40,000 downloads. They also manipulated YouTubers by falsely claiming copyright strikes, threatening channel shutdowns unless they posted videos with malicious links. A Telegram channel and a popular YouTube account with 340,000 subscribers also spread the malware. By December 2024, reports emerged of further miner-infected versions spreading via Telegram and YouTube.
The discovered infected archives contained an additional executable, with a modified start script tricking victims into disabling antivirus protections. The first-stage malware is a Python-based loader that was packed with PyInstaller and sometimes obfuscated using PyArmor. It fetched a second-stage payload from hardcoded domains, executing it as t.py in a temporary folder. The payload was only accessible from Russian IPs, suggesting a targeted attack on Russian users.
“The downloaded di.exe is a SilentCryptoMiner sample based on the open-source miner XMRig. This is a covert miner able to mine multiple cryptocurrencies (ETH, ETC, XMR, RTM and others) using various algorithms. For stealth, SilentCryptoMiner employs process hollowing to inject the miner code into a system process (in this case, dwm.exe).” reads the report published by Kaspersky. “The malware is able to stop mining while the processes specified in the configuration are active. It can be controlled remotely via a web panel.”
“The miner can prevent the execution in a virtualized environment and verify its file size (680-800 MB) to ensure it was executed by the intended loader. Its configuration is Base64-encoded and encrypted with AES-CBC. The miner halts when specific monitoring tools run and fetches updates every 100 minutes. It uses Pastebin to store its configuration, with multiple accounts distributing the malicious files.” concludes the report. “The topic of restriction bypass tools is being actively exploited to distribute malware. The above campaign limited itself to distributing a miner, but threat actors could start to use this vector for more complex attacks, including data theft and downloading other malware. This underscores once again that, while such tools may look enticing, they pose a serious threat to user data security.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, SilentCryptoMiner)
