A sophisticated cryptocurrency mining campaign has emerged, targeting systems through external storage devices with the ability to compromise even air-gapped environments.<\/p>\n
The malware operates as a multi-stage infection that prioritizes mining Monero cryptocurrency while establishing persistent mechanisms to resist removal.<\/p>\n
Unlike typical cryptojacking operations<\/a>, this campaign employs kernel-level exploitation and worm-like propagation capabilities.<\/p>\n The attack begins through pirated software bundles masquerading as legitimate office productivity suite installers.<\/p>\n Once executed, the malware deploys multiple components that work in coordination to maintain the infection and maximize mining output.<\/p>\n The operation features watchdog processes creating a self-healing architecture where terminating one component triggers others to resurrect it within seconds.<\/p>\n What makes this threat particularly concerning is its propagation method. Trellix analysts identified the campaign<\/a> in late 2025, uncovering an operation that actively monitors for newly connected external drives.<\/p>\n When users insert USB flash drives or external hard disks, the malware automatically copies itself to the device and creates hidden folders with deceptive shortcuts.<\/p>\n This mechanism enables lateral movement across networks and can breach air-gapped systems through physical media transfer.<\/p>\n The malware\u2019s architecture demonstrates deliberate separation between command logic and execution logic.<\/p>\n The controller handles monitoring and decision-making while remaining lightweight to avoid triggering security software<\/a>.<\/p>\n Separate payload components handle resource-intensive mining operations and aggressive defensive actions, including terminating security tools or the legitimate Windows Explorer process.<\/p>\n The most technically advanced component involves a Bring Your Own Vulnerable Driver technique. The malware drops WinRing0x64.sys, a legitimate but vulnerable driver component containing CVE-2020-14979.<\/p>\n This vulnerability allows gaining Ring 0 kernel privileges, bypassing the operating system\u2019s hardware abstraction layer.<\/p>\n Through kernel access, the malware modifies CPU Model Specific Registers to disable hardware prefetchers that interfere with RandomX mining algorithm efficiency.<\/p>\n This optimization increases the Monero mining hashrate by 15 to 50 percent.<\/p>\n The technique achieves performance improvements without writing a malicious driver, instead piggybacking on the valid digital signature of the vulnerable legacy driver.<\/p>\n The campaign incorporates temporal controls with hardcoded logic checking the system date against December 23, 2025.<\/p>\n Before this deadline, the malware proceeds with infection routines, but afterward triggers cleanup mode that terminates components and deletes dropped files, suggesting a planned operational lifecycle.<\/p>\n Organizations should enforce Microsoft\u2019s Vulnerable Driver Blocklist through Windows Defender<\/a> Application Control to prevent vulnerable drivers from loading.<\/p>\n Implementing device control policies to restrict removable media can cut off the worm\u2019s propagation vector.<\/p>\n Security teams should configure web filtering<\/a> to block outbound connections to consumer-grade mining pools and enforce security awareness training regarding pirated software risks.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post Advanced Crypto Mining Malware Spreads Through External Drives and Air-Gapped Systems<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"Overall](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjz5_lkhWxyBHYBQ5jqRlArLMu1kiXNzezEMp9YPVww_ha1Mm5QszFrq580XQ-6RDmWY2RoBDgR2ES8qZdFCEs5zryRWV189JdiKRooIAIP-5msfhlHlfbsLfM6Qo1M3Y_5kAbjdydZCvRCnngg4f5_8H7IRLotP89f2VrExJQObmoTlQbv9UFXAEhljn8\/s16000\/Overall%2520File%2520Inventory%2520%28Source%2520-%2520Trellix%29.webp?ssl=1\")
![\"The](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjNmkOIxKnQEIEO9SET3pUGKWQCrHx5rJMFSI8Dsck9DyQ6QlS4X2hAiLFrvIr_xptJV8D1eKK3OJMY5ZpdVjAc7OHXYtndiH8U_yKNSUHHr4F10YZ46BqOd27Y2k0Ml1rEIAq92pvhgAR_PwRxI-60xgSQpBo-oJLJvkwprVW15MwX0mn2X_Tnn2YhvoE\/s16000\/The%2520Circular%2520Dependency%2520flowgraph%2520%28Source%2520-%2520Trellix%29.webp?ssl=1\")
Kernel-Level Exploitation and Performance Optimization<\/strong><\/h2>\n
![\"Handshake](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiLf-GIQDtAQ9XtpSm1D6Eykkq3d7nBnbhwaBqACdh0k6feATP4eaaUAVTndTY2Dazu84Y1e0BPXUtamCuzfy5X5zL6TztE42ffw-6sGgACs3VznQGfzOISF-qMftOx_7Nz2hU9tNXZFte213uInAb4xCGRvHeTmICjpb8e4airRCZgTSh8uBquICKCCWM\/s16000\/Handshake%2520flowgraph%2520%28Source%2520-%2520Trellix%29.webp?ssl=1\")