A hidden cryptocurrency miner was secretly installed on some Windows servers. The attackers tricked users looking for popular games into downloading fake installers that contained this malware.

You might be interested in: Understanding the Security Operations Center

When users searched for well-known games, they were directed to download game installers that had been tampered with. Once installed, these programs secretly added a miner to the computer.

Trojans Infection Details

The Russian cybersecurity company Kaspersky first spotted this threat on December 31, 2024. They named the campaign “StaryDobry,” which ran for about a month. The malware hit people and companies around the world, with most infections found in Russia, Brazil, Germany, Belarus, and Kazakhstan.

Fake Game Installs Trojans

The attackers used popular simulation and physics games such as BeamNG.drive, Garry’s Mod, Dyson Sphere Program, Universe Sandbox, and Plutocracy as bait. In September 2024, infected game versions were posted on various torrent sites. After downloading these “repacks,” users saw a normal installation screen. Once they proceeded, a file named “unrar.dll” was activated, beginning the infection.

How the Trojans Hid themselves

Before running its harmful tasks, the malware did several checks to make sure it was not being watched in a sandbox or debugged. It contacted several websites—like ip-api.com, api.myip.com, and ipwho.is—to find out the user’s IP address and location. If it couldn’t get the info, it would default to showing China or Belarus as the location.

Next, the malware decrypted a file called “MTX64.exe” and saved its output as “Windows.Graphics.ThumbnailHandler.dll” in the system folder. This file changed how Windows displayed thumbnails, allowing another file, called Kickstarter, to load a hidden payload. This payload was stored as “Unix.Directory.IconHandler.dll” in a folder inside the roaming AppData.

The malware also kept an eye out for programs like taskmgr.exe and procmon.exe, which could reveal its actions. If it found any of these tools running, it would immediately stop the mining process.

Mining and Server Setup

The mining software was a modified version of XMRig. It was designed to start only on computers with eight or more CPU cores. Instead of using a public mining pool, the attackers ran their own server to control the mining operation. The software even had a separate thread that looked for process monitoring tools to avoid detection.

Final Thoughts

There is no clear evidence linking this campaign to any known cybercriminal group. However, some Russian text strings in the code suggest that the people behind this attack might be Russian speakers.