New KryptoCibule Windows Trojan spreads via malicious torrents

Pierluigi Paganini September 02, 2020

Experts warn of the KryptoCibule Windows malware that has been active since late 2018 and has targeted users in the Czech Republic and Slovakia.

Security researchers from ESET have shared technical detailts of a new piece of Windows malware tracked as KryptoCibule.

The malware has been active since at least December 2018, it targets cryptocurrency users as a triple threat. The malware uses the victim’s resource to mine cryptocurrency, steals cryptocurrency wallet-related files, and replaces wallet addresses in the clipboard to hijack cryptocurrency payments.

“The latest versions of KryptoCibule use XMRig, an open source program that mines Monero using the CPU, and kawpowminer, another open source program that mines Ethereum using the GPU. The second one is only used if a dedicated GPU is found on the host. Both of these programs are set up to connect to an operator-controlled mining server over the Tor proxy.” reads the report.

On top of the crypto-related components, the malware also implements RAT functionalities, it could allow the execution of arbitrary commands and SHELL, which downloads a PowerShell script from the C&C.

KryptoCibule leverages the Tor network and the BitTorrent protocol for its communications.

KryptoCibule uses the Tor client to communicate with the C2 servers hosted on the dark web. The malware leverages the torrent client to load torrent files, in this way it could download other additional modules, including proxy servers, crypto-mining modules, and HTTP and SFT servers.

The malware is written in C#, since 2018, the authors malware have added new features to the threat.

Currently, the malware spreads via torrent files for pirated software and games, the malicious code is bundled with installers or crackers for pirated software.

This installer achieves persistence through scheduled tasks to be run every five minutes and then installs the KryptoCibule launcher, the OS clipboard hijacker module, and Tor and torrent clients.

ESET researchers pointed out that the KryptoCibule is currently being distributed only in two countries, the Czech Republic and Slovakia.

Almost all the malicious torrents distributing tainted pirated software were only available on uloz.to, a popular file-sharing site in both countries.

ESET noticed that KryptoCibule contains a feature that checks for the presence of antivirus software on a victim’s computer. The malware only checks for the presence of ESET, Avast, and AVG antivirus software, which are popular solutions in the Czech Republic and Slovakia.

Anyway, experts recommend users to remain vigilant, we cannot exclude that the operators behind the threat could extend their operations to other countries.

“The KryptoCibule malware has been in the wild since late 2018 and is still active, but it doesn’t seem to have attracted much attention until now. Its use of legitimate open-source tools along with the wide range of anti-detection methods deployed are likely responsible for this.” concludes ESET. “The relatively low number of victims (in the hundreds) and their being mostly confined to two countries may also contribute to this. New capabilities have regularly been added to KryptoCibule over its lifetime and it continues to be under active development.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, KryptoCibule)

[adrotate banner=”5″]

[adrotate banner=”13″]

cry KryptoCibule malware

Pierluigi Paganini July 20, 2025

Singapore warns China-linked group UNC3886 targets its critical infrastructure

Pierluigi Paganini July 03, 2025