miners
From December 31, 2024, our telemetry began detecting a significant surge in the activity of the XMRig cryptominer. While most of the malware launches were detected by home security solutions, some were found on corporate systems. A thorough investigation revealed that cybercriminals had been distributing the malware through game torrents. The attack likely targeted gamers in various countries, including Russia, Brazil, and Germany. However, the cryptominer also surfaced on corporate networks — probably due to employees using work computers for personal use.
Malicious campaign
The campaign, affectionately named StaryDobry (“the good old one” in Russian) by our analysts, was carefully planned: malicious distributions were created and uploaded to torrent sites between September and December 2024. Of course, the infected games were repacks — modified versions designed to bypass authenticity checks (in other words, cracked).
Users began downloading and installing these trojanized games, and for a while, the malware showed no signs of activity. But then, on December 31, it received a command from the attackers’ remote server, triggering the download and execution of the miner on infected devices. The list of trojanized titles included popular sim games such as Garry’s Mod, BeamNG.Drive, and Universe Sandbox.
We closely examined a sample of the malware and discovered the following:
- Before launching, the program checks whether it’s running in a debugging environment or sandbox. If it is, the installation is immediately terminated.
- The miner is a slightly modified executable of XMRig, which we covered in detail back in 2020.
- If the infected device has fewer than 8 CPU cores, the miner doesn’t run.
Our products detect the malware used in this campaign as Trojan.Win64.StaryDobry.*, Trojan-Dropper.Win64.StaryDobry.*, and HEUR:Trojan.Win64.StaryDobry.gen. More technical details and indicators of compromise can be found in the Securelist publication.
How to protect your corporate network from miners
From a corporate security perspective, the real concern isn’t just the malware itself, but where it was discovered. A miner in a corporate network is certainly unpleasant — but at least it doesn’t steal data. However, there’s no guarantee that, next time, a repacked game won’t be hiding a stealer or ransomware. As long as employees install pirated games on work computers, gaming-related malware will keep infiltrating corporate systems.
Therefore, the main recommendation for information security personnel is to block torrents at the security policy level (unless, of course, they’re necessary for your company’s business processes). Ideally, all non-work-related software should be completely prohibited. In addition, we have two traditional recommendations:
- Install a reliable security solution on all work devices.
- Train employees in cybersecurity hygiene basics. In the vast majority of cases, human actions serve as the entry point for cyberattacks on corporate systems. That’s why it’s crucial to educate personnel on how to recognize and respond to relevant cyberthreats. One effective way to do this is using our interactive online training platform Kaspersky Automated Security Awareness Platform.
Tips