A wormable cryptojacking campaign spreads via pirated software, using BYOVD and a time-based logic bomb to deploy a custom XMRig miner.

Researchers uncovered a wormable cryptojacking campaign that spreads through pirated software bundles to deploy a custom XMRig miner. The attack uses a BYOVD exploit and a time-based logic bomb to evade detection and maximize mining output. Its multi-stage infection chain focuses on boosting cryptocurrency hashrate, often pushing infected systems to instability in the process.

The campaign spreads through pirated “premium” software installers that drop a sophisticated XMRig-based miner. At its core is a controller binary, Explorer.exe, designed as a persistent state machine that switches roles via command-line arguments (installer, watchdog, active infection, cleanup).

“The “Explorer.exe” binary functions as the primary orchestration node for the infection. In traditional malware design, functionality is often compartmentalized into a linear execution flow: a dropper downloads a payload, executes it, and exits. Explorer.exe (controller), however, operates as a persistent state machine.” reads the report published by Trellix. “It determines its behavioral mode based on the specific command-line arguments passed to it during execution, allowing a single binary file to serve multiple distinct operational roles within the infection lifecycle: installer, watchdog, payload manager, and cleaner”

It separates logic (“brain”) from payloads (“brawn”), which include the miner, watchdogs, and a vulnerable driver (BYOVD) for kernel access.

The malware abuses a legitimate but vulnerable driver called WinRing0x64.sys using a technique known as BYOVD (Bring Your Own Vulnerable Driver). Instead of creating its own malicious driver, it loads this old, signed driver to gain kernel-level access (Ring 0 access).

With this access, it modifies specific CPU settings (Model Specific Registers) to disable hardware prefetchers that interfere with Monero’s RandomX mining algorithm. Because RandomX relies on random memory access, turning off these features reduces cache conflicts and boosts mining performance by 15% to 50%.

Payloads are embedded in the binary’s resource section, decompressed, written to disk as hidden system files, and disguised as legitimate software. A circular watchdog system ensures components relaunch each other if terminated, aggressively restarting the miner and even killing the real Windows Explorer to disrupt users.

The malware includes a time-based kill switch set to December 23, 2025, triggering a controlled cleanup routine.

“A significant discovery within the sub_14000D180 function is a hardcoded temporal check, serving as a “kill switch” or “time bomb.” This mechanism operates by retrieving the local system time and comparing it against a predetermined deadline: December 23, 2025.” continues the report. “The malware’s behavior diverges based on this date:

• Active phase (Pre-Dec 23, 2025): The malware proceeds with the standard infection routine, installing the persistence modules and launching the miner.
• Expiration phase (Post-Dec 23, 2025): This suggests that the campaign is not intended to be an indefinite operation. It implies a “fire-and-forget” lifecycle, possibly timed to coincide with the expiration of rented Command & Control (C2) infrastructure, a predicted shift in the cryptocurrency market (specifically Monero difficulty adjustments), or a planned transition to a new malware variant.”

This XMRig variant includes a worm module that spreads through USB drives, not just manual downloads. It quietly listens for new removable devices using Windows system notifications instead of constantly scanning for them. When a USB drive is inserted, the malware copies its explorer.exe file onto the device, hides it in a folder, and creates a malicious shortcut disguised as the drive icon. When the USB is opened on another computer, the shortcut can execute the malware, enabling further spread.

The threat actor appears to be testing the infection chain and persistence features, including the “Barusu” kill switch, on a limited number of systems before scaling up. Mining pool data shows one active worker with a modest hashrate, with sporadic activity in November 2025 and a noticeable spike starting December 8, suggesting a fresh rollout or activation of new infected nodes.

“This campaign serves as a potent reminder that commodity malware continues to innovate. By chaining together social engineering, legitimate software masquerades, worm-like propagation, and kernel-level exploitation, the attackers have created a resilient and highly efficient botnet.” concludes the report. “The use of the BYOVD technique, in particular, highlights a critical weakness in modern OS security models: the trust placed in signed drivers.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, XMRig Campaign)

Researchers discovered Reynolds ransomware, which uses BYOVD technique to disable security tools and evade detection before encryption.

Researchers found a new ransomware, named Reynolds, that implements the Bring Your Own Vulnerable Driver (BYOVD) technique to disable security tools and evade detection before encrypting systems.

Broadcom’s cybersecurity researchers initially attributed the attack to Black Basta due to similar tactics, but further analysis confirmed the payload was Reynolds, a new ransomware family. The campaign stands out because it embeds a bring-your-own-vulnerable-driver (BYOVD) component directly inside the ransomware. Instead of deploying a separate tool to disable security software, Reynolds bundles the vulnerable NsecSoft driver within its payload to evade detection.

Bring Your Own Vulnerable Driver (BYOVD) is an attack technique where threat actors use a legitimate but flawed driver to bypass security controls.

Instead of exploiting a new vulnerability, attackers install a signed, trusted driver that contains known security flaws. Because the driver is legitimately signed, Windows allows it to load. Once running, attackers exploit the driver’s weakness to:

• Bypass kernel-level protections
• Escalate privileges (gain SYSTEM-level access)
• Disable or tamper with EDR/antivirus tools
• Kill security processes

The Reynolds ransomware drops the vulnerable NsecKrnl driver and creates a service to run it. It then abuses the driver flaw (CVE-2025-68947) to kill security processes associated with major defense solutions, including Sophos, Symantec, Microsoft Defender, CrowdStrike, ESET, and Avast tools.

“The ransomware payload drops a vulnerable NsecSoft NSecKrnl driver and tries to create an NSecKrnl service. This driver is then exploited to kill processes.” reads the report published by Broadcom. “The NSecKrnl driver is a Windows kernel-mode driver with a known critical security vulnerability (CVE-2025-68947), which means that it fails to verify if a user has sufficient permissions before executing commands. This allows a local, authenticated attacker to terminate processes owned by other users, including SYSTEM and Protected Processes, by issuing crafted Input/Output Control (IOCTL) requests to the driver. “

The malware encrypts files and adds the “.locked” extension. Investigators also found a suspicious side-loaded loader weeks earlier and the GotoHTTP remote access tool after the attack, suggesting the attackers may have kept access before and even after deploying the ransomware.

In 2026, ransomware groups routinely disable antivirus and EDR tools before launching encryption. They added this step as security vendors improved early detection. The most common method is BYOVD, where attackers load a signed but vulnerable driver, exploit it to gain higher privileges, and shut down security software. Because the driver is legitimate and signed, it often avoids alerts. Popular tools include TrueSightKiller, GhostDriver, AuKill, Poortry, Gmer, and Warp AVKiller. Attackers sometimes use built-in Windows tools, but BYOVD remains their top defense-evasion tactic.

This campaign raises concerns that more ransomware groups may embed defense-evasion tools directly inside their payloads. Combining both components makes attacks quieter and faster, since attackers no longer need to drop a separate driver that defenders could detect and block. This approach reduces steps and limits response time. It may also attract affiliates, as bundled capabilities make ransomware easier to deploy and more competitive in the criminal market.

“Embedding more capabilities into the ransomware payload itself may also help act as a unique selling point for ransomware developers who are attempting to attract affiliates.” concludes the report that includes Indicators of Compromise (IoCs). “Having additional capabilities bundled with the ransomware payload may make ransomware attacks easier to carry out, as they would require less steps, potentially making such a payload more attractive to affiliates. “

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Reynolds ransomware)