Listen to this Post
Introduction:
South Korea’s iconic Internet cafés, locally called “PC bangs,” are now under siege by a wave of cyberattacks that tap into their high-end gaming systems for illegal crypto mining. A recent report by AhnLab Security Intelligence Center (ASEC) uncovers how hackers are targeting the very backbone of these cafés — their management software — using a combination of Gh0st RAT and the GPU-optimized T-Rex CoinMiner. These attacks not only drain computing power but also risk exposing sensitive data, putting thousands of public computers and café operators in jeopardy. Here’s a deep dive into the details of this growing threat and what it means for the future of public computing hubs.
The Scope of the Attacks:
AhnLab’s report reveals a persistent cyber threat campaign targeting PC bangs in South Korea. Since the second half of 2024, attackers have focused on computers running specialized management software used to monitor sessions and automate café operations. These tools have become an unexpected weak link. Hackers exploit vulnerabilities or tamper with software updates to infiltrate systems, though the exact initial breach method remains unclear.
Once inside, the attackers deploy Gh0st RAT, a remote access trojan initially created by a Chinese hacking group but now widespread in cybercrime circles. This malware allows hackers to monitor user activity, log keystrokes, capture screens, and manipulate files — essentially giving them full control over the infected machines. Uniquely, in this campaign, the RAT communicates with command servers using a signature called “Level” to avoid being detected by conventional antivirus software.
But this is just the beginning. The attackers also unleash another malware component known as “Patcher”, which scans active processes for the café’s management tool, alters its memory, and ensures malware stays active even after reboots or software changes. Logs found on compromised systems point to Gh0st RAT droppers being installed in folders directly related to the Internet café’s operational software.
The end goal is crypto mining. The final payload is T-Rex CoinMiner, which leverages the powerful GPUs found in gaming PCs to mine cryptocurrencies like Ethereum and RavenCoin. This miner is preferred over the more common XMRig because it offers better performance on high-end graphics cards. It hides in system folders and often masquerades as a legitimate program to avoid raising suspicion. With each software update, the malware adapts its path to stay hidden.
Supporting malware such as KillProc (which shuts down rival crypto miners) and other payload droppers enhance the hacker’s ability to maintain control and maximize profit. Other tools like PhoenixMiner have been found in the same ecosystem, indicating a highly tailored, aggressive push for crypto revenue.
PC bang operators are now urged to keep their systems updated, install strong endpoint protection, and audit regularly for known indicators of compromise (IoCs) — such as specific IPs, MD5 hashes, and suspicious URLs listed in the ASEC report.
What Undercode Say:
This campaign marks a disturbing evolution in cybercrime: targeting public spaces with high-performance hardware and low individual accountability. PC bangs are a uniquely Korean phenomenon, popular for both recreational gaming and casual work — making them perfect targets for large-scale, under-the-radar exploitation.
The attackers’ approach shows surgical precision. Rather than infecting random users, they go after centralized café management systems, turning dozens — or hundreds — of public machines into crypto-mining zombies. This method is not only efficient but also highly profitable, as the average gaming PC offers superior GPU capacity compared to typical home or office setups.
Gh0st RAT’s deployment indicates that surveillance and control are part of the operation, which raises deeper privacy and security concerns. With access to user data, keylogs, and screen captures, attackers could potentially harvest sensitive user credentials or engage in further cyber fraud beyond mining.
The use of Patcher also shows that these aren’t amateur actors. They reverse-engineered the management software to develop a custom attack chain, allowing them to inject malicious payloads while avoiding crashes or detection. This type of memory manipulation points to a well-resourced threat group, likely familiar with the South Korean market and PC bang infrastructure.
The switch to T-Rex CoinMiner is also strategic. Unlike more common miners, T-Rex is fine-tuned for high-GPU environments and is favored in Ethereum and RavenCoin circles. Since these digital coins are less traceable and more lucrative, it’s a win-win for attackers.
It’s also telling that supporting tools like KillProc are used to eliminate competing crypto miners. This suggests a highly competitive underground market where multiple actors are fighting for access to the same resources — the GPUs of South Korea’s public gaming cafés.
By spreading malware disguised as legitimate software and embedding it in dynamic file paths, the campaign shows advanced evasion tactics. This kind of polymorphic malware behavior means traditional antivirus programs are likely ineffective without behavior-based detection or deep packet inspection.
Given the scale of these cafés and their daily traffic, the potential for long-term, unnoticed exploitation is dangerously high. If management software providers don’t act swiftly to harden their tools and educate users, this attack model could easily spread beyond South Korea to similar gaming or co-working spaces globally.
Fact Checker Results:
✔️ Confirmed use of Gh0st RAT and T-Rex CoinMiner in cyber campaigns
✔️ Attackers targeted vulnerabilities in PC bang management software
✔️ ASEC has verified the presence of multiple malware variants in the campaign
🔍🧠💻
Prediction:
Expect this attack model to evolve and expand. As cryptocurrencies remain valuable and GPU-based setups continue to be used in public environments, threat actors will increasingly develop region-specific malware. We could see similar campaigns target LAN cafés in Southeast Asia, gaming lounges in North America, or even cloud gaming services. In response, security vendors and software developers must prepare for this new frontier where public, high-performance computing becomes a hacker’s playground.
References:
Reported By: cyberpress.org
Extra Source Hub:
https://www.linkedin.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
