CYBERSECURITY researchers have detailed a new cryptojacking campaign that uses pirated software bundles as lures to deploy a bespoke XMRig miner on compromised hosts, with a multi‑stage infection designed to maximise cryptocurrency mining by expansion across systems. The malware uses a Bring Your Own Vulnerable Driver (BYOVD) approach via a legitimate driver, WinRing0x64[.]sys, exploiting CVE-2020-14979 to achieve privilege escalation and greater control over the CPU for higher hashrate.
Trellix described the campaign as worm‑like, noting it actively spreads to other systems via removable media rather than relying solely on user downloads. A time‑based logic bomb is embedded, such that if the local time is before 23 December 2025 it installs persistence modules and launches the miner, but after that date it runs with the barusu argument to perform a controlled decommissioning.
The researchers observed mining activity throughout November 2025, with a spike on 8 December 2025, and highlight the attack as an example of how commodity malware can evolve into a resilient botnet through social engineering, worm propagation, and kernel‑level exploits. According to Trellix, the dropper, persistence triggers, and mining payload reveal a sophisticated, multi‑component architecture aimed at sustaining maximum hashrate while evading security tools.