Pirated software installer cryptojacking campaign
Campaign
Summary
Hide ▲
Show ▼
A cryptojacking campaign now spreads through pirated software bundles, using a multi-stage infection chain to deploy a bespoke XMRig miner and maintain persistence on compromised hosts. The malware uses a controller named Explorer.exe, watchdog processes disguised as legitimate software, and WinRing0x64.sys tied to CVE-2020-14979 for BYOVD privilege escalation and stronger Monero RandomX mining. Trellix said the operation also uses a December 23, 2025 logic bomb and worm-like propagation through removable media, while mining activity was seen in November 2025 and spiked on December 8, 2025. The campaign was connected to the Kryptex mining pool at xmr-sg.kryptex.network:8029.
Related Happenings
Windows zero-day exploitation wave
Exploitation Wave
First: 17.04.2026 09:14
Last: 17.04.2026 09:14
Sources 1
About this happening:
**BlueHammer**, **RedSun**, and **UnDefend** are being exploited in the wild against **Windows** devices, creating active risk of **SYSTEM** or elevated administrator compromise....
Windows zero-day exploitation wave
Exploitation WaveAbout this happening: **BlueHammer**, **RedSun**, and **UnDefend** are being exploited in the wild against **Windows** devices, creating active risk of **SYSTEM** or elevated administrator compromise....
Latest development: 23.04.2026 14:05
CISA added BlueHammer, tracked as CVE-2026-33825, to its Known Exploited Vulnerabilities (KEV) Catalog and ordered Federal Civilian Executive Branch (FCEB) agencies to patch Microsoft Defender on Windows systems within two weeks, until May 7. The federal directive targets ongoing zero-day abuse of the flaw on U.S. government systems.
EDR killer BYOVD analysis finds 54 tools abusing 34 vulnerable drivers
Technical Analysis
First: 19.03.2026 20:52
Last: 19.03.2026 20:52
Sources 1
About this happening:
**54 EDR killers** were found abusing **BYOVD** through **34 vulnerable drivers**, showing how ransomware operators can **disable endpoint defenses** before encryption. The findin...
EDR killer BYOVD analysis finds 54 tools abusing 34 vulnerable drivers
Technical AnalysisAbout this happening: **54 EDR killers** were found abusing **BYOVD** through **34 vulnerable drivers**, showing how ransomware operators can **disable endpoint defenses** before encryption. The findin...
Warlock ransomware post-exploitation tooling upgrades
Malware Activity
First: 17.03.2026 17:36
Last: 17.03.2026 17:36
Sources 1
About this happening:
The **Warlock ransomware group** has upgraded its post-exploitation toolset with **BYOVD**, **TightVNC**, and **Yuze**, making intrusions harder to detect and interrupt. In an obs...
Warlock ransomware post-exploitation tooling upgrades
Malware ActivityAbout this happening: The **Warlock ransomware group** has upgraded its post-exploitation toolset with **BYOVD**, **TightVNC**, and **Yuze**, making intrusions harder to detect and interrupt. In an obs...
UAT-9244 South America telecom targeting campaign
Campaign
First: 06.03.2026 01:19
Last: 06.03.2026 01:19
Sources 1
About this happening:
UAT-9244 is a China-linked campaign targeting telecommunication providers in South America since 2024. It compromises Windows, Linux, and edge devices to expand access across tele...
UAT-9244 South America telecom targeting campaign
CampaignAbout this happening: UAT-9244 is a China-linked campaign targeting telecommunication providers in South America since 2024. It compromises Windows, Linux, and edge devices to expand access across tele...
Latest development: 06.03.2026 10:22
The first documented phase centers on **TernDoor** targeting **Windows** hosts through **DLL side-loading** with `wsprint.exe` and `BugSplatRc64.dll`. After launch, it loads in memory and establishes persistence through a scheduled task or the Registry Run key.
Python-based malware deployment with XWorm and Cobalt Strike tooling
Malware Activity
First: 23.02.2026 17:30
Last: 23.02.2026 17:30
Sources 1
About this happening:
A **Python-based malware deployment** was uncovered on a **compromised Windows system**, exposing persistence, obfuscation, and credential-theft activity tied to **PayPal abuse**...
Python-based malware deployment with XWorm and Cobalt Strike tooling
Malware ActivityAbout this happening: A **Python-based malware deployment** was uncovered on a **compromised Windows system**, exposing persistence, obfuscation, and credential-theft activity tied to **PayPal abuse**...
Timeline
-
18.02.2026 18:00 1 articles · 3mo ago
Monero mining activity increases on infected systems
Campaign Scope UpdateInfected systems in the Kryptex-connected campaign generated about 1.24 KH/s of Monero mining output, with mining activity increasing from December 8, 2025.
Show sources
- Cryptojacking Campaign Exploits Driver to Boost Monero Mining — www.infosecurity-magazine.com — 18.02.2026 18:00
-
18.02.2026 18:00 3 articles · 3mo ago
Trellix discloses controller, watchdogs, and vulnerable driver abuse
Initial DisclosureTrellix identified a cryptojacking operation that used a customised XMRig miner, a controller named Explorer.exe, fake Microsoft Edge and WPS watchdog processes, and WinRing0x64.sys tied to CVE-2020-14979 to obtain kernel-level access and disable hardware prefetchers; the malware also used a hardcoded December 23, 2025 kill switch, attempted to terminate the Windows Explorer shell, connected to the Kryptex mining pool at xmr-sg.kryptex.network:8029, and was met with guidance to enable Microsoft's vulnerable driver blocklist, restrict USB device access, and block outbound traffic to known mining pools.
Show sources
- Cryptojacking Campaign Exploits Driver to Boost Monero Mining — www.infosecurity-magazine.com — 18.02.2026 18:00
- Cryptojacking Campaign Exploits Driver to Boost Monero Mining — www.infosecurity-magazine.com — 18.02.2026 18:00
- Wormable XMRig Campaign Uses BYOVD Exploit and Time-Based Logic Bomb — thehackernews.com — 23.02.2026 19:59