{
  "name": "Cryptojacking Campaign Exploits Driver to Boost Monero Mining",
  "slug": "cryptojacking-campaign-exploits-driver-to-boost-monero-mining",
  "description": "A sophisticated cryptojacking campaign has been discovered, spreading through pirated software installers. The operation utilizes a customized XMRig miner and a controller component for long-term system access. Unlike browser-based schemes, this campaign deploys system-level malware using deceptive installers masquerading as office software. The modular design enhances resilience, with multiple watchdog processes for persistence. A notable feature is the exploitation of a vulnerable signed driver (CVE-2020-14979) to gain kernel-level access, boosting Monero mining performance by 15% to 50%. The campaign connects to the Kryptex mining pool and uses a Monero wallet for payouts. Organizations are advised to enable Microsoft's vulnerable driver blocklist and implement other protective measures.",
  "published": "2026-02-18T15:50:28+00:00",
  "created_at": "2026-02-18T15:50:28+00:00",
  "modified_at": "2026-02-18T18:40:49+00:00",
  "created_at_opencti": "2026-02-18T15:50:28+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-02-18",
    "CVE-2020-14979",
    "cryptojacking",
    "driver vulnerability",
    "kernel exploit",
    "monero mining",
    "persistence",
    "pirated software",
    "stealth",
    "xmrig"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "http://xmr-sg.kryptex.network:8029"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:83adebc6ef4eb478",
        "name": "XMRig",
        "slug": "xmrig"
      }
    ],
    "attack_patterns": [
      {
        "id": "9f11a241-9abc-4c57-95dd-33955ab08826",
        "name": "T1078"
      },
      {
        "id": "926a888c-190c-4efb-ab6b-f9d7e6a0fc54",
        "name": "T1547"
      },
      {
        "id": "32817170-4c07-427e-b8a5-80a733ae2550",
        "name": "T1497"
      },
      {
        "id": "7d7ac733-6442-416f-8669-c302dd0843b9",
        "name": "T1036"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "a72ebeae-8e62-4039-8135-e9c611011fdc",
        "name": "T1573"
      },
      {
        "id": "53b3b18c-d0d0-4bf6-bc6b-2c0ab9180deb",
        "name": "T1070"
      },
      {
        "id": "fcd96dc0-500e-4354-bd97-5c65718a9004",
        "name": "T1562"
      },
      {
        "id": "09124a92-c11f-4571-b35b-ab0bce6dd081",
        "name": "T1112"
      },
      {
        "id": "6d618903-d9f6-4747-aec2-7630f43c1908",
        "name": "T1496"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221",
        "name": "T1059"
      },
      {
        "id": "870bd958-53a3-4d25-9f23-00aa8bd6674d",
        "name": "T1102"
      },
      {
        "id": "dc342445-1b78-48b4-aa06-89ed2ad7c28e",
        "name": "T1071"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      }
    ],
    "vulnerabilities": [
      {
        "id": "",
        "name": "CVE-2020-14979"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "xmr-sg.kryptex.network"
      }
    ]
  },
  "external_refs": [
    "https://www.infosecurity-magazine.com/news/cryptojacking-driver-boost-monero",
    "https://otx.alienvault.com/pulse/6995edd428d58a7ab0d74baa"
  ]
}