Find notable cyber news and cases, enriched with sources, timelines, and signals.

Pirated software installer cryptojacking campaign

Campaign
First reported
Last updated
Happening score
H score 35
2 unique sources, 2 articles

Summary

Hide ▲

A cryptojacking campaign now spreads through pirated software bundles, using a multi-stage infection chain to deploy a bespoke XMRig miner and maintain persistence on compromised hosts. The malware uses a controller named Explorer.exe, watchdog processes disguised as legitimate software, and WinRing0x64.sys tied to CVE-2020-14979 for BYOVD privilege escalation and stronger Monero RandomX mining. Trellix said the operation also uses a December 23, 2025 logic bomb and worm-like propagation through removable media, while mining activity was seen in November 2025 and spiked on December 8, 2025. The campaign was connected to the Kryptex mining pool at xmr-sg.kryptex.network:8029.

Related Happenings

GhostTree and GhostBranch NTFS junction loops that evade recursive folder scanning

Technical Analysis
H score23 First: 16.06.2026 17:17 Last: 16.06.2026 17:17 Sources 1

About this happening: **GhostTree** and **GhostBranch** use recursive **NTFS junction** loops to generate effectively unlimited paths, allowing files in the same folder to evade **EDR** and **Windows D...

Windows search URI handler NTLMv2 hash disclosure security flaw (CVE-2026-33829)

Vulnerability
H score24 First: 03.06.2026 13:18 Last: 03.06.2026 13:18 Sources 1

About this happening: **Windows search: URI handler** has an **unpatched NTLMv2 hash disclosure flaw** that can let an attacker capture a user's Net-NTLMv2 hash through a crafted `search:` link. The we...

Windows zero-day exploitation wave

Exploitation Wave
H score38 First: 17.04.2026 09:14 Last: 17.04.2026 09:14 Sources 1

About this happening: **BlueHammer**, **RedSun**, and **UnDefend** are being exploited in the wild against **Windows** devices, creating active risk of **SYSTEM** or elevated administrator compromise....

Latest development: 23.04.2026 14:05

CISA added BlueHammer, tracked as CVE-2026-33825, to its Known Exploited Vulnerabilities (KEV) Catalog and ordered Federal Civilian Executive Branch (FCEB) agencies to patch Microsoft Defender on Windows systems within two weeks, until May 7. The federal directive targets ongoing zero-day abuse of the flaw on U.S. government systems.

EDR killer BYOVD analysis finds 54 tools abusing 34 vulnerable drivers

Technical Analysis
H score24 First: 19.03.2026 20:52 Last: 19.03.2026 20:52 Sources 1

About this happening: **54 EDR killers** were found abusing **BYOVD** through **34 vulnerable drivers**, showing how ransomware operators can **disable endpoint defenses** before encryption. The findin...

Warlock ransomware post-exploitation tooling upgrades

Malware Activity
H score38 First: 17.03.2026 17:36 Last: 17.03.2026 17:36 Sources 1

About this happening: The **Warlock ransomware group** has upgraded its post-exploitation toolset with **BYOVD**, **TightVNC**, and **Yuze**, making intrusions harder to detect and interrupt. In an obs...

Timeline

  1. 18.02.2026 18:00 1 articles · 4mo ago

    Monero mining activity increases on infected systems

    Campaign Scope Update

    Infected systems in the Kryptex-connected campaign generated about 1.24 KH/s of Monero mining output, with mining activity increasing from December 8, 2025.

    Show sources
  2. 18.02.2026 18:00 3 articles · 4mo ago

    Trellix discloses controller, watchdogs, and vulnerable driver abuse

    Initial Disclosure

    Trellix identified a cryptojacking operation that used a customised XMRig miner, a controller named Explorer.exe, fake Microsoft Edge and WPS watchdog processes, and WinRing0x64.sys tied to CVE-2020-14979 to obtain kernel-level access and disable hardware prefetchers; the malware also used a hardcoded December 23, 2025 kill switch, attempted to terminate the Windows Explorer shell, connected to the Kryptex mining pool at xmr-sg.kryptex.network:8029, and was met with guidance to enable Microsoft's vulnerable driver blocklist, restrict USB device access, and block outbound traffic to known mining pools.

    Show sources