SilentCryptoMiner Infects 2,000 Russian Users via Fake VPN and DPI Bypass Tools

Avatar
A new mass malware campaign is infecting users with a cryptocurrency miner named SilentCryptoMiner by masquerading it as a tool designed to circumvent internet blocks and restrictions around online services. Russian cybersecurity company Kaspersky said the activity is part of a larger trend where cybercriminals are increasingly leveraging Windows Packet Divert (WPD) tools to distribute malware

A new mass malware campaign is infecting users with a cryptocurrency miner named SilentCryptoMiner by masquerading it as a tool designed to circumvent internet blocks and restrictions around online services.

Russian cybersecurity company Kaspersky said the activity is part of a larger trend where cybercriminals are increasingly leveraging Windows Packet Divert (WPD) tools to distribute malware under the guise of restriction bypass programs.

“Such software is often distributed in the form of archives with text installation instructions, in which the developers recommend disabling security solutions, citing false positives,” researchers Leonid Bezvershenko, Dmitry Pikush, and Oleg Kupreev said. “This plays into the hands of attackers by allowing them to persist in an unprotected system without the risk of detection.”

The approach has been used as part of schemes that propagate stealers, remote access tools (RATs), trojans that provide hidden remote access, and cryptocurrency miners like NJRat, XWorm, Phemedrone, and DCRat.

The latest twist in this tactic is a campaign that has compromised over 2,000 Russian users with a miner disguised as a tool for getting around blocks based on deep packet inspection (DPI). The program is said to have been advertised in the form of a link to a malicious archive via a YouTube channel with 60,000 subscribers.

In a subsequent escalation of the tactics spotted in November 2024, the threat actors have been found impersonating such tool developers to threaten channel owners with bogus copyright strike notices and demand that they post videos with malicious links or risk getting their channels shut down due to supposed infringement.

“And in December 2024, users reported the distribution of a miner-infected version of the same tool through other Telegram and YouTube channels, which have since been shut down,” Kaspersky said.

The booby-trapped archives have been found to pack an extra executable, with one of the legitimate batch scripts modified to run the binary via PowerShell. In the event antivirus software installed in the system interferes with the attack chain and deletes the malicious binary, users are displayed an error message that urges them to re-download the file and run it after disabling security solutions.

The executable is a Python-based loader that’s designed to retrieve a next-stage malware, another Python script that downloads the SilentCryptoMiner miner payload and establishes persistence, but not before checking if it’s running in a sandbox and configuring Windows Defender exclusions.

The miner, based on the open-source miner XMRig, is padded with random blocks of data to artificially inflate the file size to 690 MB and ultimately hinder automatic analysis by antivirus solutions and sandboxes.

“For stealth, SilentCryptoMiner employs process hollowing to inject the miner code into a system process (in this case, dwm.exe),” Kaspersky said. “The malware is able to stop mining while the processes specified in the configuration are active. It can be controlled remotely via a web panel.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

 The Hacker News 

Total
0
Shares
Previous Post

Texas border city declares state of emergency after cyberattack on government systems

Next Post

⚡ THN Weekly Recap: New Attacks, Old Tricks, Bigger Impact

Related Posts

Australia Bans Kaspersky Software Over National Security and Espionage Concerns

Australia has become the latest country to ban the installation of security software from Russian company Kaspersky, citing national security concerns. "After considering threat and risk analysis, I have determined that the use of Kaspersky Lab, Inc. products and web services by Australian Government entities poses an unacceptable security risk to Australian Government, networks and data,
Avatar
Read More

North Korean Hackers Pull Off $308M Bitcoin Heist from Crypto Firm DMM Bitcoin

Japanese and U.S. authorities have formerly attributed the theft of cryptocurrency worth $308 million from cryptocurrency company DMM Bitcoin in May 2024 to North Korean cyber actors. "The theft is affiliated with TraderTraitor threat activity, which is also tracked as Jade Sleet, UNC4899, and Slow Pisces," the agencies said. "TraderTraitor activity is often characterized by targeted social
Avatar
Read More

Apple Patches Actively Exploited iOS Zero-Day CVE-2025-24200 in Emergency Update

Apple on Monday released out-of-band security updates to address a security flaw in iOS and iPadOS that it said has been exploited in the wild. Assigned the CVE identifier CVE-2025-24200, the vulnerability has been described as an authorization issue that could make it possible for a malicious actor to disable USB Restricted Mode on a locked device as part of a cyber physical attack. This
Avatar
Read More