Key Findings

• Wormable cryptojacking campaign spreads through pirated software installers

• Uses BYOVD (Bring Your Own Vulnerable Driver) technique to gain kernel-level access and boost mining performance

• Includes a time-based "kill switch" set to December 23, 2025, triggering a controlled cleanup routine

• Exhibits worm-like capabilities, spreading across external storage devices for lateral movement

• Modular design separates monitoring features from mining, persistence, and privilege escalation payloads

• Leverages a circular watchdog system to ensure components relaunch each other if terminated

Background

The campaign targets unsuspecting users with pirated software bundles, such as installers for popular productivity suites, to distribute a custom XMRig miner program. The malware's modular design and sophisticated infection chain demonstrate the continued innovation in commodity malware, blending social engineering, legitimate software masquerades, worm-like propagation, and kernel-level exploitation to create a resilient and efficient botnet.

Infection Chain

• The campaign's entry point is the use of social engineering lures, advertising free premium software in the form of pirated installers

• The malicious binary acts as the central orchestration node, serving different roles (installer, watchdog, payload manager, cleaner) throughout the infection lifecycle

• It leverages a BYOVD (Bring Your Own Vulnerable Driver) technique, abusing the WinRing0x64.sys driver to gain kernel-level access and optimize mining performance

• Payloads are embedded in the binary's resource section, decompressed, and disguised as legitimate software

Persistence and Spreading

• The malware includes a circular watchdog system to ensure components relaunch each other if terminated

• It even kills the real Windows Explorer process to disrupt users and maintain control

• A worm module spreads the malware through USB drives, quietly listening for new removable devices and copying the malicious binary onto them

Kill Switch and Campaign Lifecycle

• The malware includes a time-based "kill switch" set to December 23, 2025

• Before the deadline, the malware proceeds with the standard infection routine, installing persistence modules and launching the miner

• After the deadline, the binary is launched with a "self-destruct" argument, triggering a controlled decommissioning of the infection

• This suggests the campaign is not intended to be indefinite, possibly timed to coincide with the expiration of rented C2 infrastructure, a predicted shift in the cryptocurrency market, or a planned transition to a new malware variant

Conclusion

This cryptojacking campaign demonstrates the ongoing evolution of commodity malware, leveraging advanced techniques like BYOVD and worm-like propagation to maximize the impact and evasiveness of the XMRig miner. The inclusion of a time-based kill switch further highlights the attacker's strategic planning, potentially signaling a transition to a new malware variant or infrastructure. The research serves as a reminder of the critical weaknesses in modern OS security models and the need for continued vigilance against innovative threats.

Sources

• https://securityaffairs.com/188388/malware/wormable-xmrig-campaign-leverages-byovd-and-timed-kill-switch-for-stealth.html

• https://thehackernews.com/2026/02/wormable-xmrig-campaign-uses-byovd.html