“In April, the total number of visits to websites where the malware described in this study was detected reached 40 million.” That single figure frames the scale: popular pirated book, movie, and TV sites are being used as distribution highways for a persistent cryptomining and remote‑access campaign.
How the infection chain worked
Victims encountered a fake video player plugin update when attempting to watch content on illegal streaming sites. Clicking the link downloaded a ZIP archive containing a legitimate executable, HLS Installer.874.exe, and a large malicious DLL. Launching the executable triggered DLL side‑loading: the legitimate EXE loaded the malicious library into its process and executed code from within that trusted context. At the time of the investigation, the archive was distributed via at least two pirated video sites in the .ru and .top top‑level domains and via the domain urush1bar4[.]online. The delivery mechanism mirrors earlier campaigns that used partial downloads from file[.]ipfs[.]us[.]69[.]mu and tactics described by other analysts, indicating activity stretching back to at least 2022.
Technical anatomy of the DLL and main module
The malicious DLL contains a large volume of junk data intended to increase size and hamper analysis; nested inside is a single vulnerable function that deliberately triggers a stack overflow. That overflow builds a ROP chain to decrypt a next‑stage payload and then transfers execution into a modified DOS header that acts as shellcode. The shellcode passes control to code located at offset 0x5C1000 from the PE base, which reflectively loads the same PE image into memory—this decrypted image is the "main module."
The main module is a modified fork of the SilentCryptoMiner project. On first run it collects a small set of host identifiers—processor information, the serial number of the C: drive, whether the process is elevated, and the process start time—and transmits them in a single large DNS query using DNS tunneling. The DNS query is disguised with a domain name ending in microsoft.com but is sent to unrelated infrastructure; the module proceeds only if the DNS response contains the byte sequence 01 02 03 04.
Persistence, watchdog, and RAT functionality
If the process has elevated privileges, the malware takes aggressive system‑level steps: it adds Windows Defender exclusions for EXE and DLL files and for %USERPROFILE%, %PROGRAMDATA%, and %WINDIR%; it deletes Microsoft’s Malicious Software Removal Tool (mrt.exe) by calling ZwSetInformationFile and creates a DontOfferThroughWUAU registry parameter under HKLM\\Software\\Policies\\Microsoft\\MRT to prevent MSRT reinstall. The malware also disables automatic hibernation and sleep with a set of powercfg commands, copies itself to C:\\ProgramData\\Google\\Chrome, and registers a GoogleUpdateTaskMachineQC service set to start automatically.
Four components are then reflexively loaded into memory and injected into host processes: a RAT agent into conhost.exe; a Watchdog into explorer.exe; a CPU miner into explorer.exe; and a GPU miner into explorer.exe if a discrete GPU is present (the code enumerates display adapters to decide). The Watchdog copies files from C:\\ProgramData\\Google\\Chrome, XOR‑encrypts the contents with the key AFeIboiOmImJS2ypJU0pTpAO61SELkUc and caches them in memory; every five seconds it checks the GoogleUpdateTaskMachineQC service and, if altered, restores the encrypted files from memory—meaning the Watchdog must be terminated before the miner can be fully removed.
When executed without elevation the malware copies itself to %USERPROFILE%\\AppData\\Roaming\\Sandboxie, configures HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run persistence, and repeatedly triggers User Account Control (UAC) prompts every three minutes until the GoogleUpdateTaskMachineQC service is installed with the expected settings and file path.
Command‑and‑control, miner configuration, and indicators
The RAT agent accepts four remote commands: execute an arbitrary command; reflexively execute a provided PE inside explorer.exe; execute provided shellcode; and exit. C2 domains are derived from the current date using a month‑zone scheme plus the word "microsoft," hashed with MurmurHash64. Examples of registered RAT domains include 5d14vnfb[.]space, r7mvjl67[.]space, zgj1tam9[.]space, jeaw520i[.]space, and qdmagva5[.]space. Communications use AES‑CBC with the key 0123456789abcdef0123456789abcdef and a predictable IV pattern; responses include an RSA‑SHA256 signature verified with the server’s public key embedded in the binary.
The miners use XMRig for CPU mining and a multi‑algorithm GPU miner when a discrete GPU is present. Miner configuration is fetched weekly from one of four date‑derived domains (e.g., {{domain}}.strangled.net) and ultimately resolves to the same IP: 107[.]172[.]212[.]235. The campaign’s downloadable archive URL and other IoCs flagged in the investigation include:
- Malicious archive download URL: urush1bar4[.]online
- Malicious DLL hashes: 6A0FE6065D76715FEEBC1526D456DB73, 7F624407AE489324E96A708A09C17E6F, 02A43B3423367B9DDDC24CC7DFC070DF
- RAT C2 domains: 5d14vnfb[.]space, r7mvjl67[.]space, zgj1tam9[.]space, jeaw520i[.]space, qdmagva5[.]space
- Configuration retrieval IP: 107[.]172[.]212[.]235
- Control panel addresses: m4yuri[.]online, kristina[.]quest
What this means for technologists, end users, and enterprises
- Technologists and security teams: expect reflexive loading, in‑memory implants, and service‑based persistence. The Watchdog’s in‑memory restoration means endpoint responders must identify and terminate the explorer.exe‑hosted module before removing files cached under C:\\ProgramData\\Google\\Chrome.
- End users: visiting pirated digital libraries and streaming sites continues to pose a direct risk; the investigators observed the active malware distributed from both online libraries and movie/TV streaming platforms, with individual site audiences ranging from 11,000 to 27.4 million and aggregate April traffic of 40 million visits.
- Enterprises and procurement leaders: the campaign’s use of legitimate executables (HLS Installer.874.exe) paired with malicious DLLs highlights the need for allowlist controls and monitoring of unexpected service registrations such as GoogleUpdateTaskMachineQC pointing to nonstandard paths.
The campaign is methodical: a long‑running delivery mechanism, a main module updated as a SilentCryptoMiner fork, DNS tunneling checks, service‑based persistence, and layered in‑memory components that protect one another. The practical upshot is simple and stark—popular pirated sites remain a fertile distribution channel, and the codebase and infrastructure described here were observed in active use and unmodified for over a year. The final, uncomfortable detail from the investigation: this is not a narrow‑reach experiment but a deployment tied to millions of monthly visits.




