A recent cybersecurity report has uncovered a new cryptojacking scheme that utilizes pirated software bundles to distribute a customized XMRig miner program on compromised devices.
According to Trellix researcher Aswath A, the malware employs a complex, multi-stage infection strategy aimed at maximizing cryptocurrency mining hash rates, often causing instability on the victim’s system. The malware also possesses worm-like capabilities, allowing it to spread to external storage devices and move laterally even in isolated environments.
The attack begins with social engineering tactics, enticing users with free premium software disguised as pirated software bundles. Once downloaded, the malware-laden executables initiate the infection process.
The malware operates through a modular design, separating monitoring functions from core payloads responsible for cryptocurrency mining, privilege escalation, and persistence. It can switch modes using command-line arguments for different tasks such as installation, payload management, and self-destruction.
A logic bomb within the malware triggers specific actions based on the local system time. If the date is before December 23, 2025, the malware proceeds with mining activities. After that date, it initiates a “controlled decommissioning” of the infection.
The malware leverages a Windows Telemetry service executable to sideload the miner DLL, exploits a vulnerability in a vulnerable driver to escalate privileges, and enhances mining performance by modifying CPU configurations.
Trellix noted that this XMRig variant demonstrates aggressive propagation capabilities, transforming from a Trojan into a worm by actively spreading through removable media. Mining activities were observed sporadically in November 2025, peaking on December 8, 2025.
On a separate note, Darktrace identified a malware artifact likely generated using a large language model that exploits the React2Shell vulnerability to deploy an XMRig miner. This highlights the accessibility of cybercrime facilitated by AI-based models.
Additionally, attackers have been utilizing the ILOVEPOOP toolkit to scan for systems vulnerable to React2Shell, particularly targeting government, defense, finance, and industrial sectors in the U.S. The toolkit demonstrates expert-level knowledge of attack techniques related to React Server Components.
