A wormable cryptojacking campaign spreads via pirated software, using BYOVD and a time-based logic bomb to deploy a custom XMRig miner.Researchers uncovered a wormable cryptojacking campaign that spreads through pirated software bundles to deploy a custom XMRig miner. The attack uses a BYOVD exploit and a time-based logic bomb to evade detection and maximize mining output. Its multi-stage infection chain focuses on boosting cryptocurrency hashrate, often pushing infected systems to instability in the process.The campaign spreads through pirated “premium” software installers that drop a sophisticated XMRig-based miner. At its core is a controller binary, Explorer.exe, designed as a persistent state machine that switches roles via command-line arguments (installer, watchdog, active infection, cleanup). “The “Explorer.exe” binary functions as the primary orchestration node for the infection. In traditional malware design, functionality is often compartmentalized into a linear execution flow: a dropper downloads a payload, executes it, and exits. Explorer.exe (controller), however, operates as a persistent state machine.” reads the report published by Trellix. “It determines its behavioral mode based on the specific command-line arguments passed to it during execution, allowing a single binary file to serve multiple distinct operational roles within the infection lifecycle: installer, watchdog, payload manager, and cleaner”It separates logic (“brain”) from payloads (“brawn”), which include the miner, watchdogs, and a vulnerable driver (BYOVD) for kernel access.The malware abuses a legitimate but vulnerable driver called WinRing0x64.sys using a technique known as BYOVD (Bring Your Own Vulnerable Driver). Instead of creating its own malicious driver, it loads this old, signed driver to gain kernel-level access (Ring 0 access).With this access, it modifies specific CPU settings (Model Specific Registers) to disable hardware prefetchers that interfere with Monero’s RandomX mining algorithm. Because RandomX relies on random memory access, turning off these features reduces cache conflicts and boosts mining performance by 15% to 50%.Payloads are embedded in the binary’s resource section, decompressed, written to disk as hidden system files, and disguised as legitimate software. A circular watchdog system ensures components relaunch each other if terminated, aggressively restarting the miner and even killing the real Windows Explorer to disrupt users.The malware includes a time-based kill switch set to December 23, 2025, triggering a controlled cleanup routine. “A significant discovery within the sub_14000D180 function is a hardcoded temporal check, serving as a “kill switch” or “time bomb.” This mechanism operates by retrieving the local system time and comparing it against a predetermined deadline: December 23, 2025.” continues the report. “The malware’s behavior diverges based on this date:Active phase (Pre-Dec 23, 2025): The malware proceeds with the standard infection routine, installing the persistence modules and launching the miner.Expiration phase (Post-Dec 23, 2025): This suggests that the campaign is not intended to be an indefinite operation. It implies a “fire-and-forget” lifecycle, possibly timed to coincide with the expiration of rented Command & Control (C2) infrastructure, a predicted shift in the cryptocurrency market (specifically Monero difficulty adjustments), or a planned transition to a new malware variant.”This XMRig variant includes a worm module that spreads through USB drives, not just manual downloads. It quietly listens for new removable devices using Windows system notifications instead of constantly scanning for them. When a USB drive is inserted, the malware copies its explorer.exe file onto the device, hides it in a folder, and creates a malicious shortcut disguised as the drive icon. When the USB is opened on another computer, the shortcut can execute the malware, enabling further spread.The threat actor appears to be testing the infection chain and persistence features, including the “Barusu” kill switch, on a limited number of systems before scaling up. Mining pool data shows one active worker with a modest hashrate, with sporadic activity in November 2025 and a noticeable spike starting December 8, suggesting a fresh rollout or activation of new infected nodes.“This campaign serves as a potent reminder that commodity malware continues to innovate. By chaining together social engineering, legitimate software masquerades, worm-like propagation, and kernel-level exploitation, the attackers have created a resilient and highly efficient botnet.” concludes the report. “The use of the BYOVD technique, in particular, highlights a critical weakness in modern OS security models: the trust placed in signed drivers.”Follow me on Twitter: @securityaffairs and Facebook and MastodonPierluigi Paganini(SecurityAffairs – hacking, XMRig Campaign)