The T-Rex CoinMiner campaign targets Internet cafés in Korea by compromising systems running specific management software. Active since late 2024, the threat actor employs a multi-stage malware suite beginning with Gh0st RAT, a remote access trojan used for persistent system control. The initial infection vector remains unknown, but the attack involves memory patching of the management software and the use of downloaders to deploy additional payloads. Unlike common cryptocurrency mining malware that typically uses XMRig for Monero mining, this actor uses T-Rex CoinMiner, optimized for GPUs, reflecting the high-performance graphics hardware found in Internet café PCs. The malware suite includes Gh0st RAT, its droppers, patchers, downloaders, and the T-Rex miner itself. This approach allows the attacker to covertly mine cryptocurrency while maintaining control over compromised systems. The campaign’s focus on Internet cafés suggests targeting environments with multiple high-end GPUs, maximizing mining efficiency. Management software vendors have responded to the threat, but no patches or mitigations have been publicly detailed. The campaign does not currently have known exploits in the wild beyond the described activity, and the initial infection vector remains unclear, complicating detection and prevention efforts.

For European organizations, the direct impact of this campaign may be limited due to its current targeting of Korean Internet cafés and the use of region-specific management software. However, the tactics and malware components, such as Gh0st RAT and T-Rex CoinMiner, are globally relevant and could be adapted to similar environments in Europe, particularly in Internet cafés, gaming centers, or other venues with high-performance GPU setups. The presence of Gh0st RAT enables attackers to maintain persistent remote access, potentially leading to data exfiltration, espionage, or further lateral movement within networks. The cryptocurrency mining activity can degrade system performance, increase electricity costs, and reduce hardware lifespan. If adapted to European targets, organizations could face operational disruptions and increased costs. Additionally, the use of memory patching complicates detection by traditional antivirus solutions, increasing the risk of prolonged undetected compromise.

European organizations, especially those operating Internet cafés or similar environments with GPU-intensive systems, should implement targeted mitigations beyond generic advice. These include: 1) Conducting thorough inventory and monitoring of management software versions and configurations to detect unauthorized memory modifications or patching attempts. 2) Deploying endpoint detection and response (EDR) solutions capable of identifying behaviors associated with Gh0st RAT, such as unusual network connections or process injections. 3) Implementing network segmentation to isolate management software systems and limit lateral movement. 4) Monitoring GPU usage patterns for anomalies indicative of unauthorized mining activity. 5) Applying strict application whitelisting to prevent execution of unauthorized downloaders or droppers. 6) Enhancing logging and alerting on suspicious downloader activity and unexpected changes in system memory. 7) Collaborating with software vendors to obtain and apply any forthcoming patches or security advisories related to the management software. 8) Educating staff on recognizing signs of compromise and enforcing strong access controls to reduce risk of initial infection.