Monero mining malware hidden inside popular game torrents

Hackers launched a mass infection campaign to distribute a Monero mining program that could be activated remotely. The hackers delivered the mining payload via popular game torrents and primarily targeted gamers, as gaming PCs commonly tend to have stronger processors with more than 8 cores.

According to a recent report by Kaspersky, hackers launched a mass infection campaign of popular game torrents like Garry’s Mod, Dyson Sphere Program, and Universe Sandbox to distribute Monero mining application. The hackers could activate this application remotely.

Popular sandbox and simulator games were chosen to distribute the mining program, and the hackers specifically picked games requiring minimal disk space.

The hackers delivered the mining payload via a cracked game installer. Often, such cracked installers require users to turn off their anti-virus to install.

The campaign was referred to as StaryDobry, and it took advantage of torrents consisting of compressed files of the games for quicker downloads.

Kaspersky mentioned that the infections were initially detected in January 2025. However, the campaign started much earlier, in December 2024.

In fact, the campaign has been in preparation since September 2024, at the very least, when the initial versions of these games were uploaded. However, this was only the distribution phase.

The Monero mining program targets processors with 8 cores and above

According to Kaspersky, the remote Monero mining program was activated on 31st December. The functionality of the miner ensures that it makes the most out of the processor’s cores. It first checks if the computer has a process with eight cores or more for the highest yields. If the processor has less than 8 cores, the mining program will not be activated.

Due to this use case, the hackers primarily targeted gamers because gaming PCs are usually equipped with faster processors and strong hardware. According to Kaspersky’s data, most of these infections happened in Russia. However, cases have also been registered in Kazakhstan, Brazil, Germany, and Belarus.

As of yet, the team behind this mass infection hasn’t been identified. However, Kaspersky has reasons to believe that a Russian group is behind the malware, as some of its files use the Russian language. Also, a greater number of infections were reported within Russia.

Cryptopolitan Academy: Are You Making These Web3 Resume Mistakes? - Find Out Here