Researchers disclosed a cryptojacking campaign that uses pirated software bundles to lure victims and deploy a bespoke XMRig miner via a modular binary that functions as installer, watchdog, payload manager, and cleaner. The operation leverages BYOVD via WinRing0x64.sys (CVE-2020-14979) to escalate privileges and boost RandomX hashrates, spreads like a worm via removable media, includes a December 23, 2025 time-based logic bomb for controlled decommissioning, and shows links to AI-aided React2Shell (CVE-2025-55182) exploits and the ILOVEPOOP scanning toolkit, per Trellix, Darktrace, and WhoisXML API. #XMRig #WinRing0x64 #CVE-2020-14979 #React2Shell #CVE-2025-55182 #ILOVEPOOP #Trellix #Darktrace #WhoisXMLAPI
Keypoints
- The campaign uses pirated software bundles as social-engineering lures to deliver a malware dropper.
- A single modular binary acts as installer, watchdog, payload manager, and cleaner, switching modes via command-line arguments.
- Attackers employ BYOVD with WinRing0x64.sys (CVE-2020-14979) to escalate to kernel privileges and increase RandomX mining performance.
- The malware has worm-like propagation to removable media enabling lateral movement and contains a logic bomb that triggers a controlled decommission on December 23, 2025.
- Researchers linked AI-assisted React2Shell (CVE-2025-55182) exploitation and the ILOVEPOOP scanning toolkit to the campaign, which targeted government, defense, finance, and industrial sectors.
Read More: https://thehackernews.com/2026/02/wormable-xmrig-campaign-uses-byovd.html