New Cryptocurrency Miner SilentCryptoMiner: A Dangerous Malware Disguised as a Bypass Tool

Listen to this Post

A new wave of malware attacks is spreading across the internet, and it’s hitting users with a stealthy cryptocurrency miner named SilentCryptoMiner. The cybercriminals behind this campaign are cleverly disguising the malware as a tool that promises to bypass internet restrictions and blocks on online services. But behind this deceptive front, the threat is a cryptocurrency miner that’s using up system resources and compromising security.

Kaspersky, a Russian cybersecurity company, recently exposed the tactics behind this mass campaign, which takes advantage of Windows Packet Divert (WPD) tools to trick users into downloading malware. The attackers disguise the miner as software for bypassing deep packet inspection (DPI) filters, making it especially dangerous for users trying to get around network restrictions. The campaign, which has already affected over 2,000 users in Russia, involves spreading the malware through seemingly innocent links in online communities such as YouTube and Telegram.

Summary

SilentCryptoMiner is a new cryptocurrency miner delivered under the guise of a tool that helps users bypass internet restrictions. Cybercriminals are using Windows Packet Divert (WPD) tools to distribute the malware, often packaged with text instructions advising users to disable their security software. This deceptive tactic aims to bypass antivirus software and allow the miner to stay undetected on infected machines.

The malware campaign has affected thousands, primarily in Russia, with distribution channels like YouTube and Telegram. Attackers have even escalated their tactics by threatening YouTube channel owners with fake copyright strike notices unless they share links to the malicious software. The miner is based on XMRig, a popular open-source miner, and is designed to inject its malicious code into legitimate system processes to avoid detection. Additionally, the malware is padded with random data to make automatic analysis more difficult for security solutions.

What Undercode Says: An In-depth Analysis of the SilentCryptoMiner Campaign

The SilentCryptoMiner campaign is an example of how cybercriminals continue to evolve their techniques for spreading malware. What stands out here is the sophistication with which attackers are using social engineering to bypass traditional security measures. By masquerading the malware as a “bypass tool,” the attackers are playing on the growing number of people searching for ways to circumvent internet restrictions. This clever packaging makes it far more likely that users will click on the malicious links, thinking they are downloading something useful.

The use of Windows Packet Divert (WPD) tools to spread malware is also concerning. These tools allow attackers to bypass certain network security measures and route traffic in ways that make it harder for security systems to detect malicious activity. This technique seems to be part of a larger trend where cybercriminals are leveraging networking tools to hide their malicious activities under the guise of legitimate functions. In the case of SilentCryptoMiner, this tactic makes the malware appear as a harmless tool for circumventing DPI, a feature used by networks to inspect and block certain types of traffic.

What’s particularly dangerous about this campaign is the way it exploits the trust of users. Cybercriminals are encouraging people to disable their security software, citing false positives, which makes it easier for the malware to establish a foothold in the system without detection. This tactic also takes advantage of human psychology, preying on users’ reluctance to risk losing access to a service or website due to network restrictions.

The use of YouTube and Telegram to distribute the malware is a smart choice by the attackers. These platforms have large user bases, especially in regions like Russia, where many people may be looking for ways to bypass local internet censorship. By targeting these platforms, the attackers are able to reach a wide audience and increase the chances of successful infections. The escalation to threatening YouTube channel owners with copyright strike notices also shows how cybercriminals are becoming more aggressive in their distribution methods.

Another interesting detail is how the SilentCryptoMiner is designed to evade detection. The malware uses process hollowing, a technique where malicious code is injected into a legitimate system process (in this case, dwm.exe), making it harder for security software to detect. Additionally, the malware’s use of a large file size—padded with random blocks of data—further complicates the task for antivirus software and sandboxes to perform automatic analysis. This sophisticated approach demonstrates that these attackers are highly knowledgeable about the tools and methods used by modern security solutions.

Moreover, the persistence mechanisms in place are concerning. The malware is capable of checking if it’s running in a sandbox, and it also configures exclusions in Windows Defender to ensure that it’s not flagged by security software. This shows a high level of planning and an understanding of how security tools function.

Lastly, the fact that the miner is based on XMRig, a well-known open-source cryptocurrency miner, means that it is leveraging existing, widely-used software to run its operations. XMRig itself is legitimate software used for mining Monero, a popular privacy coin. However, in the hands of cybercriminals, it becomes a tool for illicit activity, silently draining resources from infected machines.

This campaign represents a growing trend of sophisticated cybercrime tactics, where attackers not only rely on traditional methods like phishing but also use advanced social engineering, process injection, and evasion techniques to carry out their attacks. As malware authors continue to evolve, it becomes more important for users to be vigilant about the software they download and the links they click on.

Fact Checker Results

  • Kaspersky has confirmed the ongoing malware campaign, which is targeting Russian users, with SilentCryptoMiner being spread via YouTube and Telegram.
  • The malware has been observed to employ advanced evasion tactics, including process hollowing and large file sizes to avoid detection.
  • SilentCryptoMiner is based on the open-source miner XMRig, a legitimate mining tool that’s been co-opted for malicious use.

References:

Reported By: https://thehackernews.com/2025/03/silentcryptominer-infects-2000-russian.html
Extra Source Hub:
https://www.instagram.com
Wikipedia: https://www.wikipedia.org
Undercode AI

Image Source:

OpenAI: https://craiyon.com
Undercode AI DI v2

Join Our Cyber World:

Whatsapp
TelegramFeatured Image