The campaign targets users who attempt to watch pirated films or television shows. Instead of loading the video, the website displays a warning that a video player plugin is outdated and must be updated before playback can continue. Users who follow the prompt receive a ZIP archive carrying a legitimate-looking installer alongside a malicious dynamic link library, allowing the malware to run through DLL side-loading while appearing to operate inside a trusted process.
The infection chain has been linked to pirated streaming sites and online digital libraries with large audiences. Traffic data for affected platforms showed monthly visits ranging from 11,000 users on smaller digital library sites to 27.4 million on larger movie and television streaming portals. Sites where the malware was detected drew about 40 million visits in April, underlining the potential scale of exposure.
The malware package uses a familiar tactic: pairing a legitimate executable with a malicious DLL so that the harmful code is loaded by a trusted application. The executable identified in the campaign was presented as an installer, while the hidden library carried the logic needed to deploy the miner, establish persistence and prepare the system for further control. This method can help attackers evade basic scrutiny because the visible file may appear benign to the user.
Once active, the malware checks the victim’s machine, gathering processor details, the serial number of the C drive, privilege level and process start time. That information is transmitted through a DNS tunnelling technique designed to blend with normal network traffic. The operation then proceeds only after the attacker-controlled infrastructure sends back the expected response, suggesting an attempt to limit execution to valid targets and reduce the chance of detection in analysis environments.
The payload behaves differently depending on whether it gains elevated privileges. With administrator rights, it attempts to weaken local defences by adding Windows Defender exclusions for executable and DLL files and for several system folders. It also targets Microsoft’s Malicious Software Removal Tool by manipulating system settings and preventing its automatic installation through Windows Update. Power settings are altered to stop the system from sleeping or hibernating, giving the cryptocurrency miner more uninterrupted runtime.
Persistence is achieved through a copy placed under a directory path designed to resemble a Google Chrome component. A service named GoogleUpdateTaskMachineQC is then configured to start automatically with Windows. The use of familiar software naming patterns is intended to reduce suspicion during manual inspection and make the malware appear like a routine browser update component.
The operation also injects multiple components into ordinary Windows processes. A remote access Trojan agent is placed into conhost. exe, while the watchdog and miners are injected into explorer. exe. The CPU miner is based on XMRig, a widely abused open-source mining tool, and the GPU miner is deployed when the infected system contains a discrete graphics processor. This allows the malware to exploit both processor and graphics resources when available.
The watchdog module is designed to keep the miner running even after partial removal attempts. It stores encrypted copies of installed files in memory and checks every few seconds whether the malicious service remains intact. If the service or files are removed incorrectly, the watchdog can restore them, making remediation more difficult unless the active process is terminated first.
The RAT component gives attackers broader control beyond illicit cryptocurrency mining. It can execute arbitrary commands, load additional executable files into memory, run shellcode and terminate itself when instructed. Such functionality turns what may appear to be a nuisance miner into a more serious compromise, with risks extending to data theft, further malware deployment and long-term unauthorised access.
Security researchers believe the activity is part of a longer-running cybercrime operation rather than an isolated incident. Earlier versions of the campaign used pirated book platforms and fake browser crash pages to deliver similarly structured archives. The latest streaming-site variant suggests the operators are adapting distribution channels to follow user behaviour, targeting audiences drawn to free access to copyrighted media.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
