{"id":46,"date":"2026-02-26T05:09:50","date_gmt":"2026-02-26T05:09:50","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=46"},"modified":"2026-02-26T05:09:50","modified_gmt":"2026-02-26T05:09:50","slug":"wormable-xmrig-campaign-uses-byovd-exploit-and-time-based-logic-bomb","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=46","title":{"rendered":"Wormable XMRig Campaign Uses BYOVD Exploit and Time-Based Logic Bomb"},"content":{"rendered":"<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiSN4m24uNLL9rLCwHv89KIT-P1ExHG8D2EAk0TBI7XClmXn4JxBe0NWurC0iazjhxVKll6ZmSfMPbfD3ohlUDAXCscVdXkLmFicuwIoz9ya4Lvx6FCcgAdu75R72rx_W1-1I5UGbtgJMkSCR1MaZAGUxzHM5uSDAhNj5FBHGpCq__7yUclLAQg7IGhUhdW\/s1700-e365\/miners.jpg\" style=\"clear: left; display: block; float: left;  text-align: center;\"><\/a><\/div>\n<p>Cybersecurity researchers have disclosed details of a new cryptojacking campaign that uses pirated software bundles as lures to deploy a bespoke XMRig miner program on compromised hosts.<\/p>\n<p>\u00abAnalysis of the recovered dropper, persistence triggers, and mining payload reveals a sophisticated, multi-stage infection prioritizing maximum cryptocurrency mining hashrate, often destabilizing the victim system,\u00bb Trellix researcher Aswath A <a href=\"https:\/\/www.trellix.com\/blogs\/research\/technical-deep-dive-the-monero-mining-campaign\/\" rel=\"noopener\" target=\"_blank\">said<\/a> in a technical report published last week.<\/p>\n<p>\u00abFurthermore, the malware exhibits worm-like capabilities, spreading across external storage devices, enabling lateral movement even in air-gapped environments.\u00bb<\/p>\n<p>The entry point of the attack is the use of social engineering decoys, advertising free premium software in the form of pirated software bundles, such as installers for office productivity suites, to trick unsuspecting users into downloading malware-laced executables.<\/p>\n<p>The binary acts as the central nervous system of the infection, serving different roles as an installer, watchdog, payload manager, and cleaner to oversee different aspects of the attack lifecycle. It features a modular design that separates the monitoring features from the core payloads responsible for cryptocurrency mining, privilege escalation, and persistence if it&#8217;s terminated.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/sse-customer-awards-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg5Ij_-TeqFMEsRFzgRRFzSRlVK6oHCncN_eJ2fkOdsA_1tN9HQbAlEEife2Z2JUt1lPv4st5n9KZP84jGEYY9Up6BQ7QE-N5rs6OhzL5thxGzVxnMx3JH9cGRLi9S5Kl-iV5PgjBeTdkBLnv_inF8UUAo88iqdmgJuPIc_6qiPyUMXwFyZWbZvkZkcRXSw\/s728-e100\/gartner-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>This flexibility, or mode switching, is achieved via command-line arguments &#8211;<\/p>\n<ul>\n<li>No parameter, for environment validation and migration during the early installation phase.<\/li>\n<li>002 Re:0, for dropping the main payloads, starting the miner, and entering a monitoring loop.<\/li>\n<li>016, for restarting the miner process if it&#8217;s killed.<\/li>\n<li>barusu, for initiating a self-destruct sequence by terminating all malware components and deleting files.<\/li>\n<\/ul>\n<p>Present within the malware is a logic bomb that operates by retrieving the local system time and comparing it against a predefined timestamp &#8211;<\/p>\n<ul>\n<li>If it&#8217;s before December 23, 2025, the malware proceeds with installing the persistence modules and launching the miner.<\/li>\n<li>If it&#8217;s after December 23, 2025, the binary is launched with the \u00abbarusu\u00bb argument, resulting in a \u00abcontrolled decommissioning\u00bb of the infection.<\/li>\n<\/ul>\n<p>The hard deadline of December 23, 2025, indicates that the campaign was designed to run indefinitely on compromised systems, with the date likely either signaling the expiration of rented command-and-control (C2) infrastructure, a predicted shift in the cryptocurrency market, or a planned move to a new malware variant, Trellix said.<\/p>\n<p><a name=\"more\"\/><\/p>\n<table cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"float: left;\">\n<tbody>\n<tr>\n<td style=\"text-align: center;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh-GqKd7kMAr7HhOTtPWnstkNRy3jg6LMSzFkuMOsuWxDO6xuLOK34oX0sCezT255yyj3q5pUx-hC5M6UZ20rGyubX8_b88NEtBC1Vq4gI0GWnqn_PfJGNtTRRTYeJ4M5XPHScAR60CHwkICCL-u9wBntgimH6ULm3okJWKg3no08wV-sj1mWSRBm8majUn\/s1700-e365\/1.jpg\" style=\"clear: left; display: block; margin-left: auto; margin-right: auto;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh-GqKd7kMAr7HhOTtPWnstkNRy3jg6LMSzFkuMOsuWxDO6xuLOK34oX0sCezT255yyj3q5pUx-hC5M6UZ20rGyubX8_b88NEtBC1Vq4gI0GWnqn_PfJGNtTRRTYeJ4M5XPHScAR60CHwkICCL-u9wBntgimH6ULm3okJWKg3no08wV-sj1mWSRBm8majUn\/s1700-e365\/1.jpg\" alt=\"\" border=\"0\" data-original-height=\"480\" data-original-width=\"870\"\/><\/a><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\" style=\"text-align: center;\">Overall file inventory<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>In the case of the standard infection routine, the binary \u2013 which acts as a \u00abself-contained carrier\u00bb for all malicious payloads \u2013 writes the different components to disk, including a legitimate Windows Telemetry service executable that&#8217;s used to sideload the miner DLL.<\/p>\n<p>Also dropped are files to ensure persistence, terminate security tools, and execute the miner with elevated privileges by using a legitimate but flawed driver (\u00abWinRing0x64.sys\u00bb) as part of a technique called bring your own vulnerable driver (BYOVD). The driver is susceptible to a vulnerability tracked as <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/cve-2020-14979\" rel=\"noopener\" target=\"_blank\">CVE-2020-14979<\/a> (CVSS score: 7.8) that allows privilege escalation.<\/p>\n<p>The integration of this exploit into the XMRig miner is to have greater control over the CPU&#8217;s low-level configuration and boost the mining performance (i.e., the RandomX hashrate) by 15% to 50%.<\/p>\n<p>\u00abA distinguishing feature of this XMRig variant is its aggressive propagation capability,\u00bb Trellix said. \u00abIt does not rely solely on the user downloading the dropper; it actively attempts to spread to other systems via removable media. This transforms the malware from a simple Trojan into a worm.\u00bb<\/p>\n<p>Evidence shows that the mining activity took place, albeit sporadically, throughout November 2025, before spiking on December 8, 2025.<\/p>\n<p>\u00abThis campaign serves as a potent reminder that commodity malware continues to innovate,\u00bb the cybersecurity company concluded. \u00abBy chaining together social engineering, legitimate software masquerades, worm-like propagation, and kernel-level exploitation, the attackers have created a resilient and highly efficient botnet.\u00bb<\/p>\n<table cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"float: left;\">\n<tbody>\n<tr>\n<td style=\"text-align: center;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj-woeqTeTeyKibXugWqe3PyJjZ6VwQzpJJlq4_eYvvZzCvyZCF3WY3M6effGHTE8JOgMcYHS2Gg_uDp3sJVaFQNmKl1NMckd4kuUcuKUKbwPIYCTnyMTFqhR35DNsBXj6dM_o4ZBwMsoiduwDRszkxABLLkctTAHU7ZLv2oeh55F_2_mrceI4VQ2Mz6_uK\/s1700-e365\/2.jpg\" style=\"clear: left; display: block; margin-left: auto; margin-right: auto;  text-align: center;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj-woeqTeTeyKibXugWqe3PyJjZ6VwQzpJJlq4_eYvvZzCvyZCF3WY3M6effGHTE8JOgMcYHS2Gg_uDp3sJVaFQNmKl1NMckd4kuUcuKUKbwPIYCTnyMTFqhR35DNsBXj6dM_o4ZBwMsoiduwDRszkxABLLkctTAHU7ZLv2oeh55F_2_mrceI4VQ2Mz6_uK\/s1700-e365\/2.jpg\" alt=\"\" border=\"0\" data-original-height=\"1665\" data-original-width=\"1300\"\/><\/a><\/td>\n<\/tr>\n<tr>\n<td class=\"tr-caption\" style=\"text-align: center;\">A \u00abCircular Watchdog\u00bb topology to ensure persistence<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>The disclosure comes as Darktrace said it identified a malware artifact likely generated using a large language model (LLM) that exploits the React2Shell vulnerability (CVE-2025-55182, CVSS score: 10.0) to download a Python toolkit, which leverages the access to drop an XMRig miner by running a shell command.<\/p>\n<p>\u00abWhile the amount of money generated by the attacker in this case is relatively low, and cryptomining is far from a new technique, this campaign is proof that AI-based LLMs have made cybercrime more accessible than ever,\u00bb researchers Nathaniel Bill and Nathaniel Jones <a href=\"https:\/\/www.darktrace.com\/blog\/ai-llm-generated-malware-used-to-exploit-react2shell\" rel=\"noopener\" target=\"_blank\">said<\/a>.<\/p>\n<p>\u00abA single prompting session with a model was sufficient for this attacker to generate a functioning exploit framework and compromise more than ninety hosts, demonstrating that the operational value of AI for adversaries should not be underestimated.\u00bb<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/ztw-hands-on-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhC66R4wPZ8qksTJukqlCCmrHCUX65DnpWW1nKnkOhy0Poe219tacbU6h09qEfUgRHxoObBazf3SVJ4OAd_iVd0EFecj-vskZSfroQ7rh0XyxQd6Ep_zNgqDW95YU4zG1Gpin8rHPK8Rqu_1KV7tf-G-7JJhxOVHhRJDWnj0qfq82uZSAvAG2rxK-Fe5fwd\/s728-e100\/ThreatLocker-d.png\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>Attackers have also been putting to use a toolkit dubbed <a href=\"https:\/\/main.whoisxmlapi.com\/blog\/to-cache-a-predator-ilovepoop-toolkit-react2shell-cve-2025-55182\" rel=\"noopener\" target=\"_blank\">ILOVEPOOP<\/a> to scan for exposed systems still vulnerable to React2Shell, likely in an effort to lay the groundwork for future attacks, according to WhoisXML API. The probing activity has particularly targeted government, defense, finance, and industrial organizations in the U.S.<\/p>\n<p>\u00abWhat makes ILOVEPOOP unusual is a mismatch between how it was built and how it was used,\u00bb said Alex Ronquillo, vice president of product at WhoisXML API. \u00abThe code itself reflects expert-level knowledge of React Server Components internals and employs attack techniques not found in any other documented React2Shell kit.\u00bb<\/p>\n<p>\u00abBut the people deploying it made basic operational mistakes when interacting with WhoisXML API&#8217;s honeypot monitoring systems \u2013 errors that a sophisticated attacker would normally avoid. In practical terms, this gap points to a division of labor.\u00bb<\/p>\n<p>\u00abWe might be looking at two different groups: one that built the tool and one that&#8217;s using it. We see this pattern in state-sponsored operations \u2013 a capable team develops the tooling, then hands it off to operators who run mass scanning campaigns. The operators don&#8217;t need to understand how the tool works \u2013 they just need to run it.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Cybersecurity researchers have disclosed details of a new cryptojacking campaign that uses pirated software bundles as lures to deploy a bespoke XMRig miner program on compromised hosts. \u00abAnalysis of the&hellip;<\/p>\n","protected":false},"author":1,"featured_media":47,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[123,119,6,120,122,121,117,118],"class_list":["post-46","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-bomb","tag-byovd","tag-campaign","tag-exploit","tag-logic","tag-timebased","tag-wormable","tag-xmrig"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/46","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=46"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/46\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/47"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=46"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=46"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=46"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}