The threat described is a resurgence of malware deploying the XMRig cryptominer, discovered in mid-April 2025, coinciding with an increase in the value of the Monero cryptocurrency. This malware uses a multi-stage infection chain and Living Off the Land Binaries and Scripts (LOLBAS) techniques, leveraging legitimate Windows tools such as PowerShell to deliver payloads, evade detection, and maintain persistence. The attack chain consists of three stages: initial infection via a batch file, establishment of persistence through scheduled tasks and registry modifications, and execution of the XMRig cryptominer to mine Monero. The malware disables Windows Update services to prevent system patches, evades Windows Defender detection mechanisms, and uses scheduled tasks to ensure continued operation after reboots. It creates registry entries and drops files to maintain persistence and continued cryptomining activity. Despite the malware’s relatively simple and unobfuscated code, it effectively avoids detection by abusing legitimate system tools and disabling security features. The malware has been observed targeting multiple countries, including Russia, Belgium, Greece, and China. Indicators of compromise include specific file hashes and a domain (notif.su) used in the attack infrastructure. The malware’s tactics align with several MITRE ATT&CK techniques such as T1053.005 (Scheduled Task), T1489 (Service Stop), T1059.001 (PowerShell), and others related to persistence, defense evasion, and execution. No known exploits or threat actors are currently linked to this malware, and no CVE identifiers are assigned. The overall severity is assessed as medium by the source, reflecting its impact and ease of detection avoidance but limited direct destructive capabilities.

For European organizations, this malware poses a significant risk primarily in terms of resource consumption and operational disruption. The cryptomining activity consumes CPU and GPU resources, leading to degraded system performance, increased power consumption, and potential hardware wear. Disabling Windows Update services increases the risk of exposure to other vulnerabilities due to lack of timely patches. Evading Windows Defender and using LOLBAS techniques complicate detection and remediation efforts, potentially allowing the malware to persist undetected for extended periods. While the malware does not appear to directly exfiltrate data or cause destructive damage, the operational costs and security risks associated with compromised systems can be substantial. In sectors with critical infrastructure or sensitive data, the presence of such malware could be a precursor to more severe attacks or indicate broader security weaknesses. Additionally, the malware’s presence can undermine trust in IT systems and lead to increased incident response costs. Given its targeting of Belgium and Greece among European countries, organizations in these countries should be particularly vigilant. The malware’s disabling of security features and persistence mechanisms also increase the risk of secondary infections or lateral movement within networks.

To mitigate this threat, European organizations should implement a multi-layered defense strategy that includes: 1) Enforce strict application control policies to prevent execution of unauthorized batch files and scripts, especially those delivered via email or removable media. 2) Monitor and restrict the use of PowerShell and other scripting tools by applying constrained language mode or logging and alerting on suspicious PowerShell activity. 3) Regularly audit scheduled tasks and registry entries for unauthorized modifications indicative of persistence mechanisms. 4) Ensure Windows Update services remain enabled and are not tampered with; implement monitoring to detect service stoppages or configuration changes. 5) Deploy endpoint detection and response (EDR) solutions capable of detecting LOLBAS abuse and anomalous cryptomining behavior, including unusual CPU usage patterns. 6) Use threat intelligence feeds to block known malicious domains such as notif.su and monitor network traffic for connections to suspicious infrastructure. 7) Educate users on the risks of executing unknown batch files and attachments to reduce initial infection vectors. 8) Implement network segmentation to limit the spread and impact of infections. 9) Conduct regular vulnerability assessments and penetration testing to identify and remediate security gaps that could be exploited for initial infection. 10) Maintain up-to-date backups and incident response plans to enable rapid recovery if infection occurs.