USB infection campaign delivering XMRig miners
Campaign
Summary
Hide ▲
Show ▼
An ongoing USB infection campaign has used compromised drives to infect hosts and deploy cryptocurrency miners since September 2024, keeping removable-media delivery an active initial-access risk. The chain starts when a victim opens a Windows shortcut (LNK) that launches a VBScript and then a batch script. The operation matters because it bypasses normal network controls and ends in the deployment of XMRig for mining.
Related Happenings
NANOREMOTE Windows backdoor with Google Drive API C2
Malware Activity
First: 11.12.2025 15:16
Last: 11.12.2025 15:16
Sources 1
About this happening:
**NANOREMOTE** is a newly disclosed **Windows backdoor** that uses the **Google Drive API** for command-and-control, giving operators a difficult-to-detect channel for **data thef...
NANOREMOTE Windows backdoor with Google Drive API C2
Malware ActivityAbout this happening: **NANOREMOTE** is a newly disclosed **Windows backdoor** that uses the **Google Drive API** for command-and-control, giving operators a difficult-to-detect channel for **data thef...
TikTok activation-guide ClickFix infostealer campaign
Campaign
First: 19.10.2025 21:28
Last: 19.10.2025 21:28
Sources 1
About this happening:
A **TikTok**-based **ClickFix** campaign is using fake **free activation guides** to deliver **info-stealing malware**, putting users seeking software activations at risk of **cre...
TikTok activation-guide ClickFix infostealer campaign
CampaignAbout this happening: A **TikTok**-based **ClickFix** campaign is using fake **free activation guides** to deliver **info-stealing malware**, putting users seeking software activations at risk of **cre...
Patchwork group macro-to-.LNK DLL side-loading sequence
Malware Activity
First: 02.10.2025 17:44
Last: 02.10.2025 17:44
Sources 1
About this happening:
A **Patchwork group** infection sequence now uses a **malicious macro**, **.LNK file**, **PowerShell**, and **DLL side-loading** to launch a payload that can **exfiltrate data** a...
Patchwork group macro-to-.LNK DLL side-loading sequence
Malware ActivityAbout this happening: A **Patchwork group** infection sequence now uses a **malicious macro**, **.LNK file**, **PowerShell**, and **DLL side-loading** to launch a payload that can **exfiltrate data** a...
COLDRIVER BAITSWITCH and SIMPLEFIX ClickFix malware chain
Malware Activity
First: 26.09.2025 15:45
Last: 26.09.2025 15:45
Sources 1
About this happening:
**COLDRIVER** (aka **Star Blizzard/UNC4057/Callisto**) has shifted from **LOSTKEYS** to rapidly changing **NOROBOT/YESROBOT/MAYBEROBOT** tooling in a **ClickFix**-style campaign,...
COLDRIVER BAITSWITCH and SIMPLEFIX ClickFix malware chain
Malware ActivityAbout this happening: **COLDRIVER** (aka **Star Blizzard/UNC4057/Callisto**) has shifted from **LOSTKEYS** to rapidly changing **NOROBOT/YESROBOT/MAYBEROBOT** tooling in a **ClickFix**-style campaign,...
Timeline
-
21.08.2025 19:25 1 articles · 9mo ago
USB infection campaign delivers XMRig miners
Campaign Scope UpdateResearchers described an ongoing USB-drive infection campaign that has been active since September 2024 and uses compromised removable media to infect hosts, starting with a Windows shortcut (LNK) that launches a VBScript and batch script chain before dropping DIRTYBULK, CUTFAIL, HIGHREPS, PUMPBENCH, and XMRig for cryptocurrency mining.
Show sources
- Cybercriminals Deploy CORNFLAKE.V3 Backdoor via ClickFix Tactic and Fake CAPTCHA Pages — thehackernews.com — 21.08.2025 19:25