Cryptominer hidden in pirated games lands mostly on Russian computers

Suspected Russian-speaking hackers are using malicious versions of popular pirated games to install cryptomining software known as XMRig on their victims' devices, researchers have found.

The attacks, conducted by a previously unidentified threat actor, mostly affected users in Russia, with additional cases observed in Belarus, Kazakhstan, Germany, and Brazil, according to a new report by Russian cybersecurity firm Kaspersky.

Malicious versions of games such as BeamNG.drive, Garry’s Mod, Dyson Sphere Program, Universe Sandbox and Plutocracy were hosted on torrent sites, which are often used for the illegal sharing of copyrighted content like movies, music, software and games.

Gamers in Russia are particularly vulnerable to such attacks due to the high rate of piracy in the country. Russian torrent sites like RuTracker are widely used to pirate movies, TV shows, games, and music. After Western companies withdrew from Russia following its invasion of Ukraine in 2022, pirated versions of films and games became even more prevalent.

As part of the campaign discovered by Kaspersky, the hackers delivered open-source cryptocurrency mining software XMRig to their victims via popular simulator and open-world games that require minimal disk space.

These malicious releases were created in advance and uploaded around September 2024. Although the trojanized games were published by different authors, they were all cracked in the same way, researchers said.

Outside of cryptominers like XMRig, pirated games can also be tainted with other malware tied to cybercrime, such as botnets used for distributed denial-of-service (DDoS) attacks and spam campaigns.

XMRig can be legitimately used to mine cryptocurrency, primarily Monero, but it has been widely abused by cybercriminals, who are consistently devising new methods to deliver the installer to victims’ devices. In one campaign, they used pirated versions of the video editing software Final Cut Pro to install the cryptominer on Apple computers.

The campaign discovered by Kaspersky was launched on New Year’s Eve, as criminals likely tried to exploit reduced vigilance and increased torrent traffic during the holiday season, researchers said. The attacks lasted for a month and affected both individuals and businesses, where the hackers compromised computers inside corporate infrastructures.

Before infecting the targeted devices, the hackers used tools that checked for antivirus software and, if detected, terminated the malware execution. To deliver the miner implant, the actors implemented “a sophisticated execution chain”  making use of powerful gaming machines capable of sustaining mining activity, researchers said.

There are no clear links between this campaign and any previously known threat actors, making attribution difficult, according to Kaspersky. However, the use of the Russian language suggests the campaign may have been developed by a Russian-speaking actor.

Earlier in September, researchers from Russian cybersecurity firm F.A.C.C.T. discovered a campaign where hackers attempted to deliver XMRig to workers at Russian tech companies, retail marketplaces, insurance firms, and financial businesses through malicious email auto-replies.