Wormable XMRig Malware Uses BYOVD to Hijack Windows Systems

A newly reported XMRig cryptojacking campaign shows how far “commodity” malware has evolved. According to The Hacker News, the operation uses pirated software bundles as bait, drops a custom XMRig miner, abuses a vulnerable signed driver for privilege escalation, and includes worm-like propagation through removable media. The underlying research describes a multi-stage infection chain built to maximize mining output, maintain persistence, and continue spreading even through USB-connected storage.

That matters because this is not just another nuisance cryptominer. From an InfoSight perspective, this campaign reflects a broader shift in threat activity: attackers are increasingly combining social engineering, kernel-level abuse, persistence engineering, and lateral movement techniques in low-noise malware that can still cause serious operational damage. Even when the end goal is Monero mining, the methods look more like modern intrusion tradecraft than old-school opportunistic malware.

How the XMRig BYOVD Campaign Works

The infection starts with a familiar lure: fake “free” premium software bundles, including installers disguised as legitimate office productivity tools. Once executed, the malware deploys a controller binary that identifies as “Explorer.exe,” which acts as the orchestrator for the entire infection. Instead of functioning like a simple dropper, this binary behaves like a persistent state machine with different operating modes for installation, active infection, watchdog recovery, and cleanup.

Researchers found that the malware uses command-line arguments to switch between those modes. For example, one mode handles deployment and starts the miner, another restarts the mining process if it is killed, and a “barusu” mode triggers a controlled self-delete routine. This modular design increases resilience because one component can monitor and relaunch another, making the infection harder to disrupt with basic process termination or ad hoc cleanup.

The campaign also includes a hardcoded time-based logic bomb. The malware checks the local system date against December 23, 2025. Before that date, it continues normal infection behavior. After that date, it invokes the cleanup routine. Since the campaign was publicly disclosed in February 2026, that date is important: it suggests the samples were tied to a late-2025 operational window, not an indefinite deployment cycle.

Why BYOVD Makes This More Dangerous

The most important technical detail is the use of BYOVD—Bring Your Own Vulnerable Driver. In this case, the malware drops and abuses the signed WinRing0x64.sys driver to gain kernel-level access. The campaign ties that driver to CVE-2020-14979, which NVD describes as a flaw that can allow arbitrary memory read/write and elevation to NT AUTHORITY\SYSTEM privileges. NVD lists the issue as CVSS 7.8 (High) under CVSS 3.x.

Attackers use that kernel access to modify CPU Model Specific Registers and disable hardware prefetch behavior that interferes with RandomX mining. Their testing found this optimization can increase hashrate by 15% to 50%. That is a key point: the vulnerable driver is not just a privilege-escalation trick. It is directly tied to performance tuning, which shows the attackers are engineering the host itself for better monetization.

From an InfoSight perspective, that makes this campaign a strong reminder that vulnerable drivers are not an edge-case hardening issue. They are an active attack surface. Microsoft explicitly states that malicious actors exploit vulnerable but legitimate signed kernel drivers to run malware in the kernel, and it recommends enabling the Microsoft vulnerable driver blocklist and HVCI (memory integrity) to reduce that risk.

This Is Not “Just” Cryptojacking

XMRig variant has worm-like propagation. The malware listens for device insertion events, detects new storage volumes such as USB drives, copies itself to those devices, and creates a shortcut-based lure intended to trigger execution on another system. That design gives the campaign the ability to spread via removable media and potentially move into segmented or tightly controlled environments where direct network spread is harder.

That changes the business risk. Cryptojacking is usually dismissed as a resource-theft problem. In reality, this kind of malware can degrade endpoint stability, consume CPU resources, disrupt user productivity, and create an internal propagation path that security teams may not detect quickly. The campaign prioritizes maximum mining hashrate and can destabilize victim systems.

For healthcare, manufacturing, and other operationally sensitive environments, the impact can extend beyond sluggish laptops. Any malware that abuses kernel trust, interferes with system performance, and spreads through removable media deserves to be treated as a resilience issue, not just a malware-cleanup ticket. The core lesson is simple: even “non-ransomware” malware can still create real business interruption risk.

What Security Leaders Should Do Now

The immediate defensive priority is to reduce exposure to vulnerable driver abuse. Microsoft states that the vulnerable driver blocklist is enabled by default on many Windows 11 systems and is also enforced when HVCI, Smart App Control, or S mode is active. Microsoft also recommends enabling the Attack Surface Reduction rule “Block abuse of exploited vulnerable signed drivers” as another layer of defense.

That should be paired with stricter removable media controls, stronger application control, and monitoring for signs of miner-like behavior such as unexplained CPU saturation, repeated process relaunches, suspicious driver loads, and outbound connections to mining infrastructure. Recommondations include restricting removable media, blocking mining domains, and reinforcing user awareness around untrusted software downloads because the infection chain begins with pirated software lures.

The InfoSight Take

The bigger takeaway is not that attackers found a new way to run XMRig. It is that they combined multiple proven techniques—social engineering, signed driver abuse, persistence loops, and USB-based propagation—into a campaign optimized for both stealth and monetization. That is exactly why organizations need stronger exposure management, disciplined endpoint hardening, and continuous monitoring of abnormal system behavior.

At InfoSight, this is the kind of threat pattern that reinforces three priorities: identify and reduce exploitable endpoint weaknesses before attackers chain them, harden Windows environments against known driver abuse, and detect suspicious behavior early enough to contain spread before performance degradation becomes business disruption. In 2026, “it’s only cryptojacking” is a dangerous assumption. This campaign shows why.