In a technical report by Trellix, researchers said a cryptojacking campaign used pirated software bundles to install a custom XMRig miner on Windows hosts, with activity recorded in November 2025 and a spike on December 8, 2025, and the malware can increase RandomX hashrate by 15% to 50%.
KEY FACTS
- Incident Wormable XMRig cryptominer deployed via pirated installers
- Vector Social engineering using fake premium software bundles
- Technique Bring your own vulnerable driver using WinRing0x64.sys for privilege escalation
- Timeline Sporadic mining in November 2025 with a spike on December 8, 2025
The recovered dropper operates as an installer, watchdog, payload manager, and cleaner. The binary uses mode switching via command line arguments to perform environment checks, drop payloads and start the miner, restart the miner if killed, or run a self-destruct sequence.
The malware includes a date check that changes behavior on December 23, 2025. Before that date it installs persistence modules and launches mining. After that date the binary can be run with a self-destruct argument to remove components, a design the report links to planned operational limits.
The infection writes multiple components to disk and sideloads a miner DLL via a legitimate Windows Telemetry executable. It drops files to ensure persistence and uses a flawed driver to escalate privileges identified as CVE-2020-14979 to increase low-level control and boost mining performance.
The campaign also attempts lateral movement by copying to removable media, enabling spread to other systems even where networks are isolated. The report describes the malware as having worm-like propagation and a watchdog topology to maintain persistence and restart mining processes.
WHY IT MATTERS
The combination of social engineering, removable media propagation, and kernel level exploitation increases the resilience and efficiency of cryptomining operations. Organizations should expect commodity malware to reuse legitimate components and exploit known vulnerable drivers to improve profit and persistence.