RESEARCHERS have uncovered a wormable XMRig cryptojacking campaign that spreads through pirated software bundles to deploy a custom XMRig miner. The operation uses a Bring Your Own Vulnerable Driver (BYOVD) and a time-based logic bomb to evade detection and maximise mining output, with a multi-stage infection chain aimed at boosting cryptocurrency hashrate often at the expense of system stability.
At its core is a controller binary, Explorer[.]exe, described as a persistent state machine that switches roles via command-line arguments, enabling it to act as installer, watchdog, payload manager and cleaner. The malware abuses a legitimate but vulnerable driver called WinRing0x64[.]sys to gain kernel-level access, and it then disables certain CPU features to improve mining performance by 15% to 50%.
A time-based kill switch is set for December 23, 2025, triggering a cleanup routine, while a worm module enables propagation via USB drives beyond manual downloads. The campaign’s authors appear to be testing the infection chain and persistence features on a limited set of machines before broader scaling, according to Security Affairs.