Friday, May 9, 2025
Homecyber securityCybercriminals Exploit YouTubers to Spread SilentCryptoMiner on Windows Systems

Cybercriminals Exploit YouTubers to Spread SilentCryptoMiner on Windows Systems

Published on

SIEM as a Service

Follow Us on Google News

A sophisticated malware campaign has been uncovered, exploiting the growing popularity of Windows Packet Divert drivers for bypassing internet restrictions.

Cybercriminals are distributing the SilentCryptoMiner malware disguised as legitimate tools, affecting over 2,000 victims in Russia alone.

The attack vector involves manipulating YouTubers with large followings to distribute malicious links.

- Advertisement - Google News

In one instance, a YouTuber with 60,000 subscribers posted videos containing links to infected archives, garnering over 400,000 views.

The malicious files were hosted on gitrok[.]com, with the download counter exceeding 40,000.

Blackmail Tactics and Infection Chain

Attackers have employed a new distribution scheme, sending copyright strikes to content creators and threatening channel shutdowns unless they post videos with malicious links.

This tactic leverages the reputation of popular YouTubers to spread the malware further.

The infection chain begins with a modified start script that runs an additional executable file using PowerShell.

SilentCryptoMiner
Contents of the original (left) and modified (right) general.bat start script

According to Secure List Report, this loader, written in Python and packed with PyInstaller, retrieves the next-stage payload from hardcoded domains.

The second-stage loader performs environment checks, adds exclusions to Microsoft Defender, and downloads the final payload SilentCryptoMiner.

SilentCryptoMiner: A Stealthy Cryptocurrency Mining Threat

SilentCryptoMiner, based on the open-source XMRig miner, is capable of mining multiple cryptocurrencies using various algorithms.

It employs process hollowing techniques to inject miner code into system processes for stealth.

The malware includes features to evade detection, such as stopping mining when specific processes are active and checking for virtual environment indicators.

The miner’s configuration is encrypted and includes parameters for mining algorithms, URLs, and lists of programs that trigger temporary mining cessation.

It periodically retrieves remote configurations, allowing attackers to dynamically adjust its behavior.

This campaign highlights the evolving tactics of cybercriminals, who are now exploiting the demand for restriction bypass tools to distribute malware.

While this particular campaign focuses on cryptocurrency mining, the same vector could potentially be used for more severe attacks, including data theft and additional malware deployment.

As the threat landscape continues to evolve, users must exercise caution when downloading and using tools from untrusted sources, even when recommended by seemingly reputable content creators.

The incident serves as a reminder of the ongoing need for vigilance in the face of increasingly sophisticated cyber threats.

Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Fedora Linux Joins the Windows Subsystem for Linux Officially

Fedora Project has announced the official availability of Fedora Linux on the Windows Subsystem...

Microsoft Launches “Copilot+ PC” for an Upgraded Windows Experience

Microsoft has announced a significant wave of new Windows experiences designed for Copilot+ PCs,...

Nomad Bridge Hacker Apprehended in Connection with $190 Million Heist

Alexander Gurevich, a 47-year-old dual Russian-Israeli citizen, was arrested last Thursday at Ben-Gurion Airport...

160-Year-Old Haulage Firm Falls After Cyber-Attack: Director Issues Urgent Warning

The 160-year-old haulage giant Knights of Old, once a stalwart of the UK’s logistics...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Fedora Linux Joins the Windows Subsystem for Linux Officially

Fedora Project has announced the official availability of Fedora Linux on the Windows Subsystem...

Microsoft Launches “Copilot+ PC” for an Upgraded Windows Experience

Microsoft has announced a significant wave of new Windows experiences designed for Copilot+ PCs,...

Nomad Bridge Hacker Apprehended in Connection with $190 Million Heist

Alexander Gurevich, a 47-year-old dual Russian-Israeli citizen, was arrested last Thursday at Ben-Gurion Airport...