Darktrace flags new cryptojacking campaign able to bypass Windows Defender

Author: Crypto.news

Source: Crypto.news

2025/09/03 20:09

Cybersecurity firm Darktrace has identified a new cryptojacking campaign designed to bypass Windows Defender and deploy a crypto mining software.

Summary

Darktrace has identified a cryptojacking campaign that targets Windows systems.
The campaign involves stealthily deploying the NBminer to mine cryptocurrencies.

The cryptojacking campaign, first identified in late July, involves a multi-stage infection chain that quietly hijacks a computer’s processing power to mine cryptocurrency, Darktrace researchers Keanna Grelicha and Tara Gould explained in a report shared with crypto.news.

According to the researchers, the campaign specifically targets Windows-based systems by exploiting PowerShell, Microsoft’s built-in command-line shell and scripting language, through which bad actors are able to run malicious scripts and gain privileged access to the host system.

These malicious scripts are designed to run directly on system memory (RAM) and, as a result, traditional antivirus tools that typically rely on scanning files on a system’s hard drives are unable to detect the malicious process.

Subsequently, attackers use the AutoIt programming language, which is a Windows tool typically used by IT professionals to automate tasks, to inject a malicious loader into a legitimate Windows process, which then downloads and executes a cryptocurrency mining program without leaving obvious traces on the system.

As an added line of defense, the loader is programmed to perform a series of environment checks, such as scanning for signs of a sandbox environment and inspecting the host for installed antivirus products.

Execution only proceeds if Windows Defender is the sole active protection. Further, if the infected user account lacks administrative privileges, the program attempts a User Account Control bypass to gain elevated access.

When these conditions are met, the program downloads and executes the NBMiner, a well-known crypto mining tool that uses a computer’s graphics processing unit to mine cryptocurrencies such as Ravencoin (RVN) and Monero (XMR).

In this instance, Darktrace was able to contain the attack using its Autonomous Response system by “preventing the device from making outbound connections and blocking specific connections to suspicious endpoints.”

“As cryptocurrency continues to grow in popularity, as seen with the ongoing high valuation of the global cryptocurrency market capitalization (almost USD 4 trillion at time of writing), threat actors will continue to view cryptomining as a profitable venture,” Darktrace researchers wrote.

Back in July, Darktrace flagged a separate campaign where bad actors were using complex social engineering tactics, such as impersonating real companies, to trick users into downloading altered software that deploys crypto-stealing malware.

Unlike the aforementioned cryptojacking scheme, this approach targeted both Windows and macOS systems and was executed by unaware victims themselves who believed they were interacting with company insiders.

Disclaimer: The articles reposted on this site are sourced from public platforms and are provided for informational purposes only. They do not necessarily reflect the views of MEXC. All rights remain with the original authors. If you believe any content infringes on third-party rights, please contact service@support.mexc.com for removal. MEXC makes no guarantees regarding the accuracy, completeness, or timeliness of the content and is not responsible for any actions taken based on the information provided. The content does not constitute financial, legal, or other professional advice, nor should it be considered a recommendation or endorsement by MEXC.