Massive XMRig Cryptominer Campaign Exploited Game Torrents Over the Holidays

• The XMRig cryptominer was hidden in torrents for popular games such as BeamNG.drive, Garry’s Mod, and Dyson Sphere Program.
• The cryptominer campaign operated globally, leveraging torrent sites to distribute trojanized game installers.
• The malware employed a combination of debugging detection, process monitoring, and resource spoofing.  

A widespread and highly sophisticated attack was discovered on December 31, 2024, exploiting the holiday season's reduced vigilance and increased torrent activity to distribute the XMRig cryptominer via trojanized versions of popular games. 

The attack spread across global regions, with infections most frequently observed in Russia, followed by Belarus, Kazakhstan, Germany, and Brazil, as revealed in the latest Kaspersky security report.

The threat actors leveraged popular torrent trackers to distribute malicious "repack" versions of well-known games such as BeamNG.drive, Garry’s Mod, Dyson Sphere Program, Universe Sandbox, and Plutocracy. 

These altered game installers contained a sophisticated infection chain, leading to the deployment of the XMRig cryptominer implant. 

The malicious game releases were uploaded to torrent sites as early as September 2024 and were actively downloaded by unsuspecting users during the holiday season when torrent traffic saw a significant spike.

Kaspersky's analysis revealed that although the repacked installers appeared to have been uploaded by multiple authors, all were cracked using a consistent methodology. This suggests coordination or a single actor operating under multiple aliases.

Once executed, the trojanized installer deployed a range of defense evasion techniques, leveraging debugging environment checks, process monitoring, custom mining infrastructure, and DNS-over-HTTPS (DoH).

DoH is employed by the attacker to hide communication between infected machines and their command-and-control (C2) infrastructure, making it significantly harder to monitor and analyze traffic.

The attacker utilizes a modified XMRig cryptominer, which constructs a predefined command line to configure its operation. Instead of relying on a public mining pool, the attackers host a private server, further obfuscating their activities.

While the attack predominantly targeted individuals downloading free games, it also affected a limited number of corporate systems. However, these organizational infections appear to have occurred indirectly, as compromised machines were likely part of broader corporate infrastructures rather than being specific targets.

The actors strategically distributed malware-laden games that appealed to casual gamers, particularly those using gaming machines capable of supporting cryptomining operations. 

The selection of lightweight, high-performance games requiring minimal system resources further facilitated the successful functioning of the miner implant on infected devices.

The Russian language within the malware's Program Database (PDB) suggests that the threat actor may be Russian-speaking. The campaign's sophisticated execution chain and the actors' conscious effort to conceal their activities highlight a potentially well-funded operation.

Similarly, over 220,000 computers were infected in 2021 by XMRig malware downloaded as game cracks.