Kaspersky Lab researchers have uncovered a sophisticated malware campaign dubbed “StaryDobry” that specifically targets users of pirated video games. The operation deploys the XMRig cryptocurrency miner through modified versions of popular games, utilizing victims’ computing resources to mine Monero cryptocurrency while evading detection.
Campaign Timeline and Targeted Games
The malicious campaign gained significant momentum during the holiday season, operating from December 31, 2024, through late January 2025. The attackers primarily distributed infected versions of popular games through torrent networks, with BeamNG.drive accounting for 70.5% of all infections. Other compromised titles include Garry’s Mod, Dyson Sphere Program, Universe Sandbox, and Plutocracy.
Technical Analysis of the Infection Chain
The malware employs a sophisticated multi-stage infection process, beginning with the deployment of a modified unrar.dll file during game installation. This component performs system analysis to detect security tools and virtual machines, establishing persistence through regsvr32.exe upon successful verification. The malware then conducts comprehensive system reconnaissance, gathering detailed information about the victim’s hardware specifications.
Advanced Evasion Techniques
The malware demonstrates advanced capabilities in evading detection through several sophisticated mechanisms:
– Masquerades as legitimate Windows system files
– Implements process monitoring detection
– Automatically terminates operations when security monitoring tools are detected
– Utilizes private mining pools to obscure financial transactions
Impact Analysis and Geographic Distribution
The campaign primarily affects users in Russia, Belarus, Kazakhstan, Brazil, and Germany. Infected systems experience significant performance degradation, hardware strain, and increased power consumption. The use of private mining pools instead of public ones makes tracking the attackers’ financial operations particularly challenging for security researchers.
This campaign highlights the escalating sophistication of cryptocurrency mining malware and emphasizes the risks associated with pirated software. Security experts recommend implementing robust endpoint protection solutions and maintaining legitimate software licenses to prevent such infections. Users should be particularly vigilant about software sources and monitor system performance for unusual behavior patterns that might indicate crypto mining activity. Regular security audits and system monitoring can help detect and prevent cryptocurrency mining malware before it causes significant damage to hardware and computing resources.
