Advanced Crypto Mining Malware Spreads Through External Drives and Air-Gapped Systems

A sophisticated cryptocurrency mining campaign has emerged, targeting systems through external storage devices with the ability to compromise even air-gapped environments.

The malware operates as a multi-stage infection that prioritizes mining Monero cryptocurrency while establishing persistent mechanisms to resist removal.

Unlike typical cryptojacking operations, this campaign employs kernel-level exploitation and worm-like propagation capabilities.

The attack begins through pirated software bundles masquerading as legitimate office productivity suite installers.

Once executed, the malware deploys multiple components that work in coordination to maintain the infection and maximize mining output.

The operation features watchdog processes creating a self-healing architecture where terminating one component triggers others to resurrect it within seconds.

What makes this threat particularly concerning is its propagation method. Trellix analysts identified the campaign in late 2025, uncovering an operation that actively monitors for newly connected external drives.

When users insert USB flash drives or external hard disks, the malware automatically copies itself to the device and creates hidden folders with deceptive shortcuts.

This mechanism enables lateral movement across networks and can breach air-gapped systems through physical media transfer.

The malware’s architecture demonstrates deliberate separation between command logic and execution logic.

The controller handles monitoring and decision-making while remaining lightweight to avoid triggering security software.

Separate payload components handle resource-intensive mining operations and aggressive defensive actions, including terminating security tools or the legitimate Windows Explorer process.

Kernel-Level Exploitation and Performance Optimization

The most technically advanced component involves a Bring Your Own Vulnerable Driver technique. The malware drops WinRing0x64.sys, a legitimate but vulnerable driver component containing CVE-2020-14979.

This vulnerability allows gaining Ring 0 kernel privileges, bypassing the operating system’s hardware abstraction layer.

Through kernel access, the malware modifies CPU Model Specific Registers to disable hardware prefetchers that interfere with RandomX mining algorithm efficiency.

This optimization increases the Monero mining hashrate by 15 to 50 percent.

The technique achieves performance improvements without writing a malicious driver, instead piggybacking on the valid digital signature of the vulnerable legacy driver.

The campaign incorporates temporal controls with hardcoded logic checking the system date against December 23, 2025.

Before this deadline, the malware proceeds with infection routines, but afterward triggers cleanup mode that terminates components and deletes dropped files, suggesting a planned operational lifecycle.

Organizations should enforce Microsoft’s Vulnerable Driver Blocklist through Windows Defender Application Control to prevent vulnerable drivers from loading.

Implementing device control policies to restrict removable media can cut off the worm’s propagation vector.

Security teams should configure web filtering to block outbound connections to consumer-grade mining pools and enforce security awareness training regarding pirated software risks.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.