The Silent Goldmine: How Air-Gapped PCs Are Being Hijacked for Crypto Profits

It starts with a “free” download - a cracked productivity suite promising premium features for nothing. But behind this too-good-to-be-true offer lurks a sophisticated malware campaign, one that doesn’t just steal your CPU cycles - it leaps the digital divide, infecting even air-gapped computers via USB drives. Welcome to the new frontier of cryptojacking, where attackers blur the line between cybercrime and cyber-espionage, all in pursuit of illicit cryptocurrency.

Criminal Innovation: From Coinhive to Kernel-Level Hijacking

Cryptojacking once meant sluggish browsers and noisy fans. Today, it means system-level compromise and advanced persistence. The latest campaign begins with social engineering: users are lured into running pirated installers laced with a stealthy dropper. This dropper unleashes Explorer.exe, a controller binary that morphs between installer, watchdog, miner, and self-destruct switch - its behavior dictated by anime-inspired command-line flags.

Unlike old-school malware that fetched payloads from afar, this one comes fully loaded. All necessary files are embedded within Explorer.exe, including a Monero miner, process killers, monitoring “keeper” binaries, and the notorious WinRing0x64.sys driver. Once running, Explorer.exe orchestrates a network of decoy processes - wps.exe, edge.exe, ksomisc.exe - each programmed to revive the others if security tools try to terminate them.

Jumping the Air-Gap: Worming Through Removable Media

What sets this campaign apart is its worm-like module. Whenever a USB drive is inserted, the malware copies itself into a hidden folder and creates disguised shortcut files. These shortcuts, stripped of their telltale arrow icons, trick users into launching the malware on new systems - bypassing network defenses and reaching even air-gapped computers, such as those in sensitive enterprise environments.

Silent Overclock: Weaponizing Vulnerable Drivers

To maximize illicit profits, the malware brings its own “performance enhancer” - a legitimate but outdated driver, WinRing0x64.sys, vulnerable to CVE-2020-14979. By exploiting this driver, the malware gains kernel-level access and tweaks processor settings, optimizing the hardware specifically for the RandomX algorithm used in Monero mining. This “silent overclock” can boost mining yields by double-digit percentages, all while evading most security tools.

Operational Intelligence: A Campaign with an Expiry Date

All mining proceeds are funneled to the Kryptex pool, a favorite of low-tier cybercriminals. But this operation isn’t meant to last forever - a hardcoded expiry date ensures the malware decommissions itself after December 23, 2025. For now, telemetry suggests the campaign is in its early stages, with operators refining their toolkit before a potential wider release.

Conclusion

This campaign marks a chilling evolution in cryptojacking: stealthy, persistent, and capable of bridging even the most secure air-gaps. It’s a wake-up call for defenders - cryptomining malware is no longer just a nuisance, but a full-spectrum threat blending social engineering, worming, and kernel-level trickery. In the relentless gold rush for cryptocurrency, even isolated machines are no longer safe.

WIKICROOK

• Cryptojacking: Cryptojacking is when hackers secretly use your device to mine cryptocurrency, slowing it down and increasing electricity costs without your knowledge.
• Air: An air-gapped environment is a physically isolated computer or network, disconnected from unsecured networks to protect sensitive data from cyber threats.
• BYOVD (Bring Your Own Vulnerable Driver): BYOVD is a cyberattack where hackers use legitimate but insecure drivers to bypass security software and gain control of a computer system.
• Persistence: Persistence involves techniques used by malware to survive reboots and stay hidden on systems, often by mimicking legitimate processes or updates.
• RandomX: RandomX is a mining algorithm for Monero, optimized for CPUs, designed to resist ASICs and GPUs, and to promote decentralized, fair mining.