A newly identified cryptojacking campaign that spreads through pirated software installers has been uncovered by researchers, revealing a multi-stage infection chain designed for persistence, stealth and maximum cryptocurrency mining output.
The operation, discovered by security firm Trellix, centres on a customised XMRig miner and a controller component that maintains long-term access to infected systems.
Unlike earlier browser-based cryptojacking schemes, this campaign deploys system-level malware. It relies on deceptive installers masquerading as office productivity software, luring users with free premium applications.
Once executed, the dropper installed a primary controller named Explorer.exe in the user directory and initiated a staged deployment of mining and persistence components.
Modular Design Enhances Resilience
The controller functioned as a state-driven orchestrator rather than a simple loader. Depending on command-line arguments, it could install, monitor, relaunch or remove components.
Trellix found references to the anime Re:Zero - Starting Life in Another World embedded in the code, including a "002 Re:0" parameter that activates the main infection mode and a "barusu" argument that triggered a structured cleanup routine.
A hardcoded expiration date of December 23, 2025, acted as a time-based kill switch. Before that date, the malware operated normally. Afterward, it initiated self-removal procedures, suggesting a finite campaign lifecycle.
To maintain persistence, the malware deployed multiple watchdog processes disguised as legitimate software, including fake Microsoft Edge and WPS executables.
If one component was terminated, another relaunched it within seconds. In some cases, the malware attempted to terminate the legitimate Windows Explorer shell to disrupt user activity and regain control.
Kernel Exploit Boosts Hashrate
A notable feature was the use of a vulnerable signed driver, WinRing0x64.sys, associated with CVE-2020-14979.
By loading this driver, the attackers gained kernel-level access and modified CPU registers to disable hardware prefetchers. This optimization reportedly increased Monero RandomX mining performance by 15% to 50%.
The campaign connected to the Kryptex mining pool at xmr-sg.kryptex.network:8029 and used a Monero wallet for payouts. At the time of analysis, researchers observed one active worker generating approximately 1.24 KH/s, with mining activity increasing from December 8, 2025.
"This campaign serves as a potent reminder that commodity malware continues to innovate," Trellix warned.
"As long as legacy drivers with known vulnerabilities remain validly signed and loadable, attackers will continue to use them as keys to the kingdom, bypassing the sophisticated protections of Ring 3 to operate with impunity in the Kernel."
The company advised organisations to enable Microsoft's vulnerable driver blocklist, restrict USB device access and block outbound traffic to known mining pools.