EXECUTIVE SUMMARY:
A malware campaign has been observed targeting users seeking pirated books, movies, and television content through unauthorized streaming and download platforms. The threat actors rely on social engineering techniques by presenting fake video player plugin update prompts that convince users to download malicious archives disguised as legitimate software updates. Once executed, the malware silently infects victim systems and deploys cryptocurrency mining components while maintaining unauthorized access to compromised devices. The campaign has reportedly remained active and continues to evolve its delivery infrastructure and infection mechanisms.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A malware campaign has been observed targeting users seeking pirated books, movies, and television content through unauthorized streaming and download platforms. The threat actors rely on social engineering techniques by presenting fake video player plugin update prompts that convince users to download malicious archives disguised as legitimate software updates. Once executed, the malware silently infects victim systems and deploys cryptocurrency mining components while maintaining unauthorized access to compromised devices. The campaign has reportedly remained active and continues to evolve its delivery infrastructure and infection mechanisms.[emaillocker id="1283"]
The infection chain begins when a victim visits a pirated streaming or content-sharing website and is presented with a fraudulent notification claiming that a video player component or plugin requires an update. Downloading the offered archive retrieves a package containing a legitimate executable alongside a malicious dynamic-link library. When the executable is launched, DLL side-loading techniques are used to execute the malicious code within the context of a trusted process. The malware establishes persistence, deploys cryptocurrency miners, and incorporates remote-access functionality that allows operators to manage infected hosts. The mining component is capable of utilizing both CPU and GPU resources, retrieves configuration data from remote infrastructure, and communicates with external servers to obtain operational parameters and additional instructions. The campaign has also demonstrated the ability to modify delivery infrastructure while maintaining similar infection workflows across multiple distribution platforms.
It highlights the ongoing risks associated with accessing pirated content and installing software from untrusted sources. Users who interact with unauthorized streaming portals, counterfeit update prompts, or suspicious downloads may unknowingly expose their systems to cryptocurrency miners, remote access malware, and additional malicious payloads. Organizations and individuals should strengthen security monitoring, restrict execution of untrusted software, and educate users about deceptive update mechanisms frequently used in malware distribution campaigns.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Resource Development | T1583.001 | Acquire Infrastructure | Domains |
| Initial Access | T1189 | Drive-by Compromise | - |
| T1566.002 | Phishing | Spearphishing Link | |
| Execution | T1204.002 | User Execution | Malicious File |
| T1059.001 | Command and Scripting Interpreter | PowerShell | |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Stealth | T1574.001 | Hijack Execution Flow | DLL |
| T1036.005 | Masquerading | Match Legitimate Resource Name or Location | |
| T1027.013 | Obfuscated Files or Information | Encrypted/Encoded File | |
| Credential Access | T1555.003 | Credentials from Password Stores | Credentials from Web Browsers |
| Discovery | T1082 | System Information Discovery | - |
| Collection | T1005 | Data from Local System | - |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| T1105 | Ingress Tool Transfer | - | |
| Impact | T1496.003 | Resource Hijacking | SMS Pumping |
MBC MAPPING:
| Objective | Behaviour ID | Behaviour |
| Anti-Behavioral Analysis | B0001 | Debugger Detection |
| Anti-Static Analysis | B0032 | Executable Code Obfuscation |
| B0012 | Disassembler Evasion | |
| Command and Control | B0030 | C2 Communication |
| Defense Evasion | F0004 | Disable or Evade Security Tools |
| E1027 | Obfuscated Files or Information | |
| E1055 | Process Injection | |
| F0007 | Self Deletion | |
| B0025 | Conditional Execution | |
| Discovery | E1082 | System Information Discovery |
| E1083 | File and Directory Discovery | |
| Execution | B0011 | Remote Commands |
| E1059 | Command and Scripting Interpreter | |
| Impact | B0018 | Resource Hijacking |
| Persistence | F0012 | Registry Run Keys / Startup Folder |
| F0011 | Modify Existing Service | |
| Cryptography Micro-objective | C0027 | Encrypt Data |
| Data Micro-objective | C0026 | Encode Data |
| File System Micro-objective | C0052 | Writes File |
| Process Micro-objective | C0017 | Create Process |
REFERENCES:
The following reports contain further technical details:
https://securelist.com/video-books-pirates-miners-rat/119943/
[/emaillocker]