A miner with a side of RAT: the unintended gift with your TV show or book
A cybercrime campaign active since at least 2022 has been distributing cryptocurrency miners and RAT malware through illegal streaming sites and digital libraries. Victims are tricked via fake video player plugin updates or browser crash pages into downloading ZIP archives containing legitimate executables and malicious DLLs. The malware employs DLL side-loading, establishes persistence through Windows services, and deploys multiple components including XMRig-based CPU miners, GPU miners, a watchdog module, and a RAT agent with remote control capabilities. The campaign leverages highly popular pirated content sites with monthly traffic reaching up to 40 million visits, significantly expanding the potential victim pool. The malware includes sophisticated anti-detection features, DNS tunneling for command-and-control, and domain generation algorithms based on dates.
AI Analysis
Technical Summary
This threat involves a multi-component malware campaign distributing cryptocurrency miners and RATs through pirated media sites. Infection vectors include fake plugin updates and browser crash prompts leading to ZIP archives containing legitimate executables and malicious DLLs. The malware uses DLL side-loading to evade detection and establishes persistence by creating Windows services. Components include XMRig CPU miners, GPU miners, a watchdog module to maintain operation, and a RAT agent enabling remote control. Command-and-control communication employs DNS tunneling and domain generation algorithms based on dates to evade network defenses. The campaign targets users of illegal streaming and digital library sites with monthly traffic up to 40 million, significantly expanding potential impact. The malware also uses sophisticated anti-detection techniques to avoid discovery.
Potential Impact
The malware can covertly mine cryptocurrency using victim CPU and GPU resources, degrading system performance and increasing power consumption. The RAT component allows remote attackers to control infected systems, potentially leading to data theft, further malware deployment, or system manipulation. Persistence mechanisms and anti-detection features complicate removal and detection. The widespread distribution via popular piracy sites increases the scale of potential infections. No known exploits or targeted threat actors are identified in the data. There is no indication of direct data destruction or ransomware activity.
Mitigation Recommendations
No official patch or vendor advisory is available for this malware campaign. Mitigation focuses on user education to avoid downloading software or updates from untrusted sources, especially on piracy and illegal streaming sites. Employ endpoint protection solutions capable of detecting DLL side-loading and suspicious service creation. Network defenses should monitor for DNS tunneling and unusual domain generation algorithm activity. Since this is not a software vulnerability but a malware campaign, remediation involves malware detection and removal tools. Patch status is not yet confirmed — check vendor advisories and threat intelligence sources for updates.
Indicators of Compromise
- hash: 000102030405060708090a0b0c0d0e0f
- hash: 0123456789abcdef0123456789abcdef
- domain: urush1bar4.online
- hash: 02a43b3423367b9dddc24cc7dfc070df
- hash: 6a0fe6065d76715feebc1526d456db73
- hash: 7f624407ae489324e96a708a09c17e6f
- domain: 5d14vnfb.space
- domain: jeaw520i.space
- domain: qdmagva5.space
- domain: r7mvjl67.space
- domain: zgj1tam9.space
- domain: file.ipfs.us.69.mu
A miner with a side of RAT: the unintended gift with your TV show or book
Description
A cybercrime campaign active since at least 2022 has been distributing cryptocurrency miners and RAT malware through illegal streaming sites and digital libraries. Victims are tricked via fake video player plugin updates or browser crash pages into downloading ZIP archives containing legitimate executables and malicious DLLs. The malware employs DLL side-loading, establishes persistence through Windows services, and deploys multiple components including XMRig-based CPU miners, GPU miners, a watchdog module, and a RAT agent with remote control capabilities. The campaign leverages highly popular pirated content sites with monthly traffic reaching up to 40 million visits, significantly expanding the potential victim pool. The malware includes sophisticated anti-detection features, DNS tunneling for command-and-control, and domain generation algorithms based on dates.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat involves a multi-component malware campaign distributing cryptocurrency miners and RATs through pirated media sites. Infection vectors include fake plugin updates and browser crash prompts leading to ZIP archives containing legitimate executables and malicious DLLs. The malware uses DLL side-loading to evade detection and establishes persistence by creating Windows services. Components include XMRig CPU miners, GPU miners, a watchdog module to maintain operation, and a RAT agent enabling remote control. Command-and-control communication employs DNS tunneling and domain generation algorithms based on dates to evade network defenses. The campaign targets users of illegal streaming and digital library sites with monthly traffic up to 40 million, significantly expanding potential impact. The malware also uses sophisticated anti-detection techniques to avoid discovery.
Potential Impact
The malware can covertly mine cryptocurrency using victim CPU and GPU resources, degrading system performance and increasing power consumption. The RAT component allows remote attackers to control infected systems, potentially leading to data theft, further malware deployment, or system manipulation. Persistence mechanisms and anti-detection features complicate removal and detection. The widespread distribution via popular piracy sites increases the scale of potential infections. No known exploits or targeted threat actors are identified in the data. There is no indication of direct data destruction or ransomware activity.
Mitigation Recommendations
No official patch or vendor advisory is available for this malware campaign. Mitigation focuses on user education to avoid downloading software or updates from untrusted sources, especially on piracy and illegal streaming sites. Employ endpoint protection solutions capable of detecting DLL side-loading and suspicious service creation. Network defenses should monitor for DNS tunneling and unusual domain generation algorithm activity. Since this is not a software vulnerability but a malware campaign, remediation involves malware detection and removal tools. Patch status is not yet confirmed — check vendor advisories and threat intelligence sources for updates.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://securelist.com/video-books-pirates-miners-rat/119943/"]
- Adversary
- null
- Pulse Id
- 6a181f75cd4fa08fe38dfc48
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash000102030405060708090a0b0c0d0e0f | — | |
hash0123456789abcdef0123456789abcdef | — | |
hash02a43b3423367b9dddc24cc7dfc070df | — | |
hash6a0fe6065d76715feebc1526d456db73 | — | |
hash7f624407ae489324e96a708a09c17e6f | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainurush1bar4.online | — | |
domain5d14vnfb.space | — | |
domainjeaw520i.space | — | |
domainqdmagva5.space | — | |
domainr7mvjl67.space | — | |
domainzgj1tam9.space | — | |
domainfile.ipfs.us.69.mu | — |
Threat ID: 6a185ccae29bf47b500442ce
Added to database: 5/28/2026, 3:18:34 PM
Last enriched: 5/28/2026, 3:33:28 PM
Last updated: 5/29/2026, 6:27:55 PM
Views: 71
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.