Cryptojackers Go Incognito: Windows Character Map Turned Into Secret Crypto Mine

Fast Facts

• Darktrace detected cryptojacking malware abusing Windows Character Map (charmap.exe) in July 2025.
• The attack used an obfuscated AutoIt loader to inject NBMiner, a cryptomining tool, into memory.
• The malware evaded detection by hiding inside a trusted Windows process and checking for security tools.
• Cryptojacking can raise electricity bills, slow devices, and may signal deeper network intrusions.
• Darktrace’s automated response blocked the attack before the cryptominer could connect to its command server.

A New Kind of Digital Parasite

Imagine your computer as a bustling city. In one quiet corner, a rarely noticed municipal building - the Windows Character Map - hums along, helping users insert foreign characters and symbols. Recently, this humble tool became the perfect hideout for a new breed of cybercriminals. According to Darktrace, reported via HackRead, attackers have started exploiting this everyday Windows application to turn unsuspecting computers into secret cryptocurrency mines.

How the Attack Unfolded

This July, Darktrace’s security systems flagged a retail client’s device making an odd digital handshake: a new PowerShell user agent connecting to the web. Digging deeper, analysts Keanna Grelicha and Tara Gould discovered a sophisticated cryptojacking campaign. The attackers used a layered, hard-to-decipher script (an “obfuscated AutoIt loader”) to sneak NBMiner - a popular cryptomining tool - directly into the computer’s memory.

But the real sleight of hand came next. The malware injected itself into charmap.exe, a trusted Windows process. Like a pickpocket blending into a crowded street, it evaded suspicion by checking if Task Manager or advanced security tools were running. If only Windows Defender was present, it pressed on. The cryptominer then tried to quietly connect to a mining pool - gulf.moneroocean.stream - hoping to siphon off computing power for illicit profit.

Not Just a Nuisance: Cryptojacking’s Broader Impact

Cryptojacking - when attackers secretly use your device to mine cryptocurrency - has evolved from minor annoyance to serious concern. While the immediate effect is slower performance and higher energy bills, experts warn that these attacks are increasingly a smokescreen for broader intrusions. Jason Soroko of Sectigo told HackRead that cryptojacking should be treated as an intrusion warning, not a harmless glitch. Attackers may use these campaigns to scout networks or steal credentials, making early detection crucial.

Darktrace’s rapid, AI-powered response in this case prevented the cryptominer from connecting to its command and control server, halting the attack before damage was done. But the incident underscores a growing trend: attackers are hiding in plain sight, abusing even the most innocuous software to slip past traditional defenses.

Lessons From the Shadows

This isn’t the first time everyday Windows processes have been hijacked for malicious ends. Similar “living off the land” attacks have targeted system utilities like PowerShell and Windows Management Instrumentation (WMI) for years. What’s new is the creativity: by choosing an obscure app like Character Map, attackers bet on defenders overlooking the threat. As cryptojacking tools become more sophisticated, organizations must prioritize behavioral monitoring and automated response - spotting not just known threats, but unusual patterns in their digital cityscape.

In an era where even the most mundane software can become a backdoor, vigilance is no longer optional. As this case shows, the next cryptomine could be hiding where you least expect it.

WIKICROOK

• Cryptojacking: Cryptojacking is when hackers secretly use your device to mine cryptocurrency, slowing it down and increasing electricity costs without your knowledge.
• Obfuscated Script: An obfuscated script is code that’s deliberately scrambled or layered to make it hard for people and security tools to interpret or detect.
• AutoIt Loader: An AutoIt Loader is a Windows tool that runs scripts, often misused by attackers to secretly load malware into a computer’s memory.
• Process Injection: Process injection is when malware hides within legitimate software processes, making it harder for security tools to detect and remove the threat.
• Mining Pool: A mining pool is a group of computers that join forces to mine cryptocurrency more efficiently and share rewards, often targeted by cryptojackers.