Crypto Malware Targets Gamers: Monero Mining Payload Delivered via Popular Game Torrents
According to Kaspersky, the campaign started last December, targeting users who are downloading torrents of popular games with a silent install of XMRig, a Monero mining program.
Introduction
Hackers are now targeting gamers, who generally have capable computers, with crypto-mining malware. Kaspersky, a Russian cybersecurity company, reported that crypto criminals have begun using torrents of popular games—including BeamNG.drive, Garry’s Mod, Dyson Sphere Program, Universe Sandbox, and Plutocracy—to distribute Monero mining applications that can be activated remotely.
Method of Distribution
The mining payload is delivered via a crack installer that bypasses copy protection, allowing users to install and play the downloaded game. This campaign, termed “StaryDobry”, exploits torrent distribution of repacks, which are compressed instances of the games that facilitate faster downloads of cracked versions.
Kaspersky began detecting these infections in January 2025, indicating that preparations for the campaign likely began in September, with the first versions of these game releases being uploaded at that time.
Activation of Mining Payload
However, this was just the distribution phase; the XMRig instances were remotely activated starting December 31, when Kaspersky first detected a massive wave of infections. The miner checks if the installed computer has a processor with eight or more cores to maximize yields. If the processor has less than eight cores, the miner does not activate due to poor performance.
Target Audience
This strategy explains the targeted attack vector, as gaming rigs are typically equipped with strong hardware for enhanced gaming performance. Kaspersky noted that most infections occurred in Russia, with additional cases registered in Belarus, Kazakhstan, Germany, and Brazil.
Conclusion
While the identity of the group behind this campaign is still unknown, Kaspersky suspects it may be a Russian group due to the use of the Russian language in some files and the high infection rate in Russia.
Read more: Ledger Users Targeted in New Data Breach Phishing Campaign
Comments (0)