{"id":53061,"date":"2025-02-19T04:53:49","date_gmt":"2025-02-19T09:53:49","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=53061"},"modified":"2025-02-19T04:53:49","modified_gmt":"2025-02-19T09:53:49","slug":"miner-xmrig-delivered-via-torrents","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/miner-xmrig-delivered-via-torrents\/53061\/","title":{"rendered":"XMRig miner as a New Year&#8217;s gift"},"content":{"rendered":"<p>From December 31, 2024, our telemetry began detecting a significant surge in the activity of the XMRig cryptominer. While most of the malware launches were detected by home security solutions, some were found on corporate systems. A thorough investigation revealed that cybercriminals had been distributing the malware through game torrents. The attack likely targeted gamers in various countries, including Russia, Brazil, and Germany. However, the cryptominer also surfaced on corporate networks \u2014 probably due to employees using work computers for personal use.<\/p>\n<h2><strong>Malicious campaign <\/strong><\/h2>\n<p>The campaign, affectionately named StaryDobry (\u201cthe good old one\u201d in Russian) by our analysts, was carefully planned: malicious distributions were created and uploaded to torrent sites between September and December 2024. Of course, the infected games were <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/repack\/\" target=\"_blank\" rel=\"noopener\">repacks<\/a> \u2014 modified versions designed to bypass authenticity checks (in other words, cracked).<\/p>\n<p>Users began downloading and installing these trojanized games, and for a while, the malware showed no signs of activity. But then, on December 31, it received a command from the attackers\u2019 remote server, triggering the download and execution of the miner on infected devices. The list of trojanized titles included popular sim games such as Garry\u2019s Mod, BeamNG.Drive, and Universe Sandbox.<\/p>\n<p>We closely examined a sample of the malware and discovered the following:<\/p>\n<ul>\n<li>Before launching, the program checks whether it\u2019s running in a debugging environment or sandbox. If it is, the installation is immediately terminated.<\/li>\n<li>The miner is a slightly modified executable of <a href=\"https:\/\/securelist.com\/miner-xmrig\/99151\/\" target=\"_blank\" rel=\"noopener\">XMRig, which we covered in detail back in 2020<\/a>.<\/li>\n<li>If the infected device has fewer than 8 CPU cores, the miner doesn\u2019t run.<\/li>\n<\/ul>\n<p>Our products detect the malware used in this campaign as Trojan.Win64.StaryDobry.*, Trojan-Dropper.Win64.StaryDobry.*, and HEUR:Trojan.Win64.StaryDobry.gen. More technical details and indicators of compromise can be found in the <a href=\"https:\/\/securelist.com\/starydobry-campaign-spreads-xmrig-miner-via-torrents\/115509\/\" target=\"_blank\" rel=\"noopener\">Securelist publication<\/a>.<\/p>\n<h2><strong>How to protect your corporate network from miners<\/strong><\/h2>\n<p>From a corporate security perspective, the real concern isn\u2019t just the malware itself, but where it was discovered. A miner in a corporate network is certainly unpleasant \u2014 but at least it doesn\u2019t steal data. However, there\u2019s no guarantee that, next time, a repacked game won\u2019t be hiding a stealer or ransomware. As long as employees install pirated games on work computers, gaming-related malware will keep infiltrating corporate systems.<\/p>\n<p>Therefore, the main recommendation for information security personnel is to block torrents at the security policy level (unless, of course, they\u2019re necessary for your company\u2019s business processes). Ideally, all non-work-related software should be completely prohibited. In addition, we have two traditional recommendations:<\/p>\n<ul>\n<li>Install <a href=\"https:\/\/www.kaspersky.com\/next?icid=gl_kdailyplacehold_acq_ona_smm__onl_b2b_kdaily_wpplaceholder_sm-team___knext____a8c0f733e524af27\" target=\"_blank\" rel=\"noopener nofollow\">a reliable security solution<\/a>\u00a0on <strong>all work devices<\/strong>.<\/li>\n<li><strong>Train employees in cybersecurity hygiene basics<\/strong>. In the vast majority of cases, human actions serve as the entry point for cyberattacks on corporate systems. That\u2019s why it\u2019s crucial to educate personnel on how to recognize and respond to relevant cyberthreats. One effective way to do this is using our <a href=\"https:\/\/k-asap.com\/en\/?icid=gl_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder____kasap___\" target=\"_blank\" rel=\"noopener\">interactive online training platform Kaspersky Automated Security Awareness Platform<\/a><strong>.<\/strong><\/li>\n<\/ul>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kaspersky-next\">\n","protected":false},"excerpt":{"rendered":"<p>Just a few hours before 2025, we recorded a surge in cryptominer distribution through video games. Interestingly, not only home PCs but also corporate machines were affected.<\/p>\n","protected":false},"author":312,"featured_media":53062,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3051,3052],"tags":[2756,422],"class_list":{"0":"post-53061","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"category-smb","10":"tag-miners","11":"tag-threats"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/miner-xmrig-delivered-via-torrents\/53061\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/miner-xmrig-delivered-via-torrents\/28600\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/miner-xmrig-delivered-via-torrents\/23840\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/miner-xmrig-delivered-via-torrents\/28715\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/miner-xmrig-delivered-via-torrents\/39082\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/miner-xmrig-delivered-via-torrents\/28844\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/miner-xmrig-delivered-via-torrents\/34667\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/miner-xmrig-delivered-via-torrents\/34295\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/miners\/","name":"miners"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/53061","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/312"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=53061"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/53061\/revisions"}],"predecessor-version":[{"id":53064,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/53061\/revisions\/53064"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/53062"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=53061"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=53061"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=53061"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}