Cracked Games Spread Cryptomining Malware Targeting Gamers Worldwide

A large-scale malware campaign dubbed "StaryDobry" has been targeting gamers worldwide with trojanized versions of cracked games, spreading a sophisticated cryptomining malware that exploits users seeking free game downloads.

The campaign, which began in late December 2024 and lasted approximately one month, primarily impacted users in Russia, Brazil, Germany, Belarus, and Kazakhstan. Cybersecurity researchers discovered that threat actors strategically uploaded infected game installers onto torrent sites in September 2024, months before triggering the payloads during the holiday season.

Popular games like BeamNG.drive, Garry's Mod, Dyson Sphere Program, Universe Sandbox, and Plutocracy were among the titles used to distribute the malicious installers. The trojanized game packages appeared normal and included the actual game, but also contained hidden malicious code designed to infect users' systems.

The infection chain involves a multi-stage process that ultimately deploys an XMRig cryptocurrency miner. When users download and install the infected game, a malware dropper (unrar.dll) is unpacked and launched in the background, performing extensive anti-debugging checks to avoid detection.

The malware demonstrates highly evasive behavior, collecting detailed system information including OS version, country, CPU, RAM, and GPU details. It then sends this information to a command and control (C2) server and proceeds to install a malware loader that poses as a legitimate Windows system file.

If the infected machine has at least eight CPU cores, the malware downloads and runs a modified XMRig miner. The miner maintains a separate thread continuously monitoring for security tools, shutting itself down if any process monitoring applications are detected.

Cybersecurity researchers from Kaspersky noted that while they cannot definitively attribute the attacks to a specific threat group, the use of Russian language in the code suggests the campaign likely originates from a Russian-speaking actor.

"StaryDobry tends to be a one-shot campaign," Kaspersky researchers concluded. "By targeting powerful gaming machines capable of sustained mining activity, the threat actors implemented a sophisticated execution chain that exploited users seeking free games."

Users are advised to only download games from official sources and maintain up-to-date antivirus protection to prevent such infections.

Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this. 

You may also like these articles: Here are the 5 most contextually relevant blog posts: