Malicious XMRig Variant Disables Updates, Targets Global Expansion

Arjun PatelJuly 10, 2025

A new wave of malicious XMRig variants has emerged, employing sophisticated techniques to evade detection and maintain persistence on compromised systems. This Monero mining malware takes advantage of a legitimate tool. Today, it has highly optimized functionalities and aims at dozens more countries. The campaign unfolds from an initial infection vector that is still unclear. This causes the execution of malicious scripts through the use of built-in Windows tools.

Evasion and Persistence Techniques

The shady stuff starts as soon as the benign Windows process svchost.exe goes to work. It then creates and runs a command-line (cmd) process that executes a dangerous batch file (1.cmd). This abnormal XMRig variant leverages LOLBAS (Living Off the Land Binaries and Scripts) techniques. It makes use of tools already installed on Windows devices, such as PowerShell, to carry out payloads and evade legacy security solutions.

To gain persistence, the malware creates a registry entry at HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DJKONTAH. This guarantees that the corrupt XMRig variant is run on login every single time the user logs in. It additionally drops a real WinRing0 driver. This driver, which is also used for privilege escalation, allows this malware to perform actions that normally require administrative privileges.

The XMRig variant takes things further, disabling Windows updates and scheduled tasks in order to persist on the infected system. It does this by running a downloaded script in an invisible window using PowerShell.

Global Targeting and Infrastructure

Secondly, the malware downloads and executes another script (S2.bat) from the suspicious domain notif[.]su, which has since been taken down. This domain was removed weeks after new updates to the malware files stopped in early to mid-April 2025. This indicates that there is a more involved and concerted effort behind their distribution and maintenance of this malicious XMRig variant.

The new campaign takes things a step further with a more extensive reach than the earlier 2023 iterations. Now, it focuses on a more expansively diverse set of countries like Russia, Belgium, Greece, and China. This suggests a major new focus in the malware’s targeting strategy.

PoS malware, XMRig had big performance improvements last month that increase mining efficiency and computing power. These changes made the bad variant run smoother and for longer lengths of time while staying undetected.

Arjun Patel

Crypto Regulatory Analyst

Arjun Patel is a collaboratively minded crypto analyst whose work combines technical depth with strong regulatory and real-world awareness. With a balanced approach to risk and change, he uses diplomatic communication and a mix of academic knowledge and practical experience. His writing is clear, structured, and contextual, frequently tying technical analysis to wider industry trends and societal impact.