Wormable XMRig Campaign Uses BYOVD Exploit and Time-Based Logic Bomb
Source: The Hacker News
Campaign Overview
Cybersecurity researchers have disclosed details of a new cryptojacking campaign that uses pirated software bundles as lures to deploy a bespoke XMRig miner program on compromised hosts.
“Analysis of the recovered dropper, persistence triggers, and mining payload reveals a sophisticated, multi‑stage infection prioritizing maximum cryptocurrency mining hashrate, often destabilizing the victim system,” Trellix researcher Aswath A said in a technical report published last week.
— Trellix technical report
“Furthermore, the malware exhibits worm‑like capabilities, spreading across external storage devices, enabling lateral movement even in air‑gapped environments.”
The entry point of the attack is social‑engineering decoys that advertise free premium software in the form of pirated bundles (e.g., installers for office productivity suites) to trick unsuspecting users into downloading malware‑laced executables.
The binary acts as the central nervous system of the infection, serving different roles:
- installer
- watchdog
- payload manager
- cleaner
It features a modular design that separates the monitoring features from the core payloads responsible for cryptocurrency mining, privilege escalation, and persistence (if it is terminated).
Mode Switching
Mode switching is achieved via command‑line arguments:
| Argument | Function |
|---|---|
| (none) | Environment validation and migration during the early installation phase |
002 | Drop the main payloads, start the miner, and enter a monitoring loop |
016 | Restart the miner process if it’s killed |
barusu | Initiate a self‑destruct sequence (terminate all malware components and delete files) |
A logic bomb checks the local system time against a predefined timestamp:
- Before 23 December 2025 – the malware installs persistence modules and launches the miner.
- After 23 December 2025 – the binary is launched with the
barusuargument, causing a “controlled decommissioning” of the infection.
The hard deadline of 23 December 2025 suggests the campaign was intended to run indefinitely on compromised systems. The date may signal the expiration of rented command‑and‑control (C2) infrastructure, a predicted shift in the cryptocurrency market, or a planned migration to a new malware variant, Trellix said.
File Inventory
Caption – Overall file inventory
In the standard infection routine, the binary (a “self‑contained carrier” for all malicious payloads) writes the components to disk, including a legitimate Windows Telemetry service executable used to sideload the miner DLL.
Additional dropped files:
- Persistence mechanisms
- Tools to terminate security products
- A legitimate but vulnerable driver WinRing0x64.sys (used in a Bring Your Own Vulnerable Driver (BYOVD) technique)
The driver is vulnerable to CVE‑2020‑14979 (CVSS 7.8), which allows privilege escalation. Integrating this exploit into the XMRig miner gives the attackers greater control over the CPU’s low‑level configuration, boosting RandomX hashrate by 15 %–50 %.
“A distinguishing feature of this XMRig variant is its aggressive propagation capability,” Trellix said. “It does not rely solely on the user downloading the dropper; it actively attempts to spread to other systems via removable media. This transforms the malware from a simple Trojan into a worm.”
Evidence shows mining activity throughout November 2025, with a spike on 8 December 2025.
“This campaign serves as a potent reminder that commodity malware continues to innovate,” the cybersecurity company concluded. “By chaining together social engineering, legitimate software masquerades, worm‑like propagation, and kernel‑level exploitation, the attackers have created a resilient and highly efficient botnet.”
