Cybercriminals Exploit Restriction Bypass Software to Deliver Malware
A new cyber threat has emerged in the form of a mass malware campaign distributing a cryptocurrency miner named SilentCryptoMiner. The malware is being disguised as a tool designed to bypass internet restrictions, tricking users into installing malicious software on their systems.
According to cybersecurity firm Kaspersky, this campaign is part of a broader trend in which cybercriminals are leveraging Windows Packet Divert (WPD) tools to spread malware. These restriction bypass programs are typically distributed as downloadable archives containing text installation instructions. Users are often advised to disable their security solutions under the false pretense of avoiding “false positives,” which allows the attackers to infiltrate systems without detection.
This method has been widely used in the past to propagate various forms of malware, including stealers, remote access tools (RATs), and trojans. Among the Mass Malware Campaign families deployed using this tactic are NJRat, XWorm, Phemedrone, and DCRat, each designed to steal data, gain unauthorized access, or exploit system resources for illicit purposes.
Over 2,000 Users Affected in Latest Attack
The latest wave of this attack has targeted over 2,000 users in Russia, spreading the SilentCryptoMiner malware through a deceptive strategy. The malicious software was advertised as a tool to bypass internet blocks based on deep packet inspection (DPI), luring unsuspecting victims into downloading it.
Cybercriminals used a YouTube channel with approximately 60,000 subscribers to distribute links to the infected files. The deceptive campaign escalated further in November 2024 when attackers began impersonating developers of legitimate restriction bypass tools. They issued fake copyright strike notices to YouTube channel owners, threatening to shut down their channels unless they agreed to post videos containing malicious links.
By December 2024, similar distribution tactics were observed on Telegram and YouTube, prompting security measures to take down some of the infected channels. However, the Mass Malware Campaign continued to spread, highlighting the persistent nature of the cyber threat.
Mass Malware Campaign Techniques and Evasion Tactics
The SilentCryptoMiner campaign employs advanced evasion techniques to avoid detection and ensure persistence. The malicious archives contain an additional executable file that is launched through a modified batch script using PowerShell commands. If an antivirus program interferes with the attack and removes the malicious binary, an error message prompts the user to disable the security software and re-download the file.
The malware consists of a Python-based loader that downloads a secondary script responsible for retrieving and executing the SilentCryptoMiner payload. Before activation, the malware performs system checks to avoid running in sandbox environments and manipulates Windows Defender settings to exclude itself from scans.
To further evade detection, SilentCryptoMiner utilizes process hollowing, injecting its mining code into the system process dwm.exe to operate stealthily. The miner, based on the open-source XMRig, is artificially inflated to 690 MB with random data blocks to bypass antivirus scans. Additionally, it can halt its mining activity when certain processes are running, ensuring it remains undetected while in use. The malware also features remote control capabilities via a web-based panel, allowing cybercriminals to manage its operations efficiently.
