StaryDobry Attack
Players searching for popular simulation and physics-based games may have unknowingly installed a hidden cryptocurrency miner on their Windows systems. Cybersecurity researchers first identified this large-scale operation, codenamed StaryDobry, in late December 2024. The campaign reportedly lasted for about a month, compromising numerous machines worldwide.
Table of Contents
High-Performance Machines Exploited for Mining
The campaign primarily targeted both individual users and businesses across multiple regions, with notable infection rates in Russia, Brazil, Germany, Belarus and Kazakhstan. By focusing on gaming setups with powerful hardware, the attackers maximized the efficiency of their covert mining operations.
Popular Games Used as Lures
The attack relied on disguising threatening installers as legitimate copies of well-known games. Among the titles used as bait were BeamNG.drive, Garry's Mod, Dyson Sphere Program, Universe Sandbox and Plutocracy. The threat actors uploaded these trojanized installers to torrent sites as early as September 2024, indicating that the operation was carefully premeditated.
Infected Installers Trigger a Stealthy Attack Chain
Unsuspecting users who downloaded these so-called 'repacks' were presented with what appeared to be a standard installation process. During the setup, a hidden dropper file ('unrar.dll') was deployed and executed in the background, initiating the next stage of the infection.
Advanced Evasion Techniques in Action
Before proceeding, the dropper performed multiple checks to ensure it was not running in a virtualized or sandboxed environment, demonstrating its sophisticated evasion capabilities. It then contacted external services such as api.myip.com, ip-api.com, and ipwho.is to gather IP addresses and determine user locations. If this step failed, the system was assigned a default location of China or Belarus for reasons that remain unclear.
A Complex Multi-Stage Execution Process
Once the machine was fingerprinted, the dropper decrypted and executed another component named 'MTX64.exe.' This executable saved its contents as 'Windows.Graphics.ThumbnailHandler.dll' in a system directory. Based on a legitimate open-source project, EpubShellExtThumbnailHandler, the executable misused Windows Shell Extension functionality to load the following payload, 'Kickstarter.'
The Kickstarter component extracted an encrypted data blob and wrote it to disk under the name 'Unix.Directory.IconHandler.dll' in a hidden folder within the user's AppData directory. This new file then retrieved the final-stage payload from a remote server, which contained the actual cryptocurrency miner.
The Stealthy Miner Deployment and Process Monitoring
The miner's execution was closely monitored to avoid detection. It continuously checked for system monitoring tools like Task Manager ('taskmgr.exe') and Process Monitor ('procmon.exe'). If either of these processes was detected, the miner was immediately terminated to evade scrutiny.
XMRig Tweaked for Selective Mining
At the core of the operation was a customized version of the XMRig miner. It only activated on CPUs with at least eight cores, ensuring that the compromised machines had sufficient processing power to mine efficiently. Additionally, instead of relying on a public mining pool, the attackers set up their own private server to direct mining profits exclusively to their infrastructure.
XMRig leveraged its built-in functionality to parse command-line instructions while maintaining a separate thread to check for active monitoring tools. This persistent self-defense mechanism helped keep the mining activity hidden from the user.
A Mystery Threat with Russian Clues
Despite the scale and sophistication of the operation, the perpetrators' identities remain unknown. However, researchers discovered Russian-language strings embedded within the campaign's components, suggesting that the attack may have originated from a Russian-speaking threat actor.
The StaryDobry campaign highlights the risks associated with downloading software from unverified sources. By leveraging game installers as bait, cybercriminals managed to deploy a hidden miner while maintaining a stealthy presence on compromised systems. This incident underscores the importance of caution when acquiring software online as threat actors continue to refine their deceptive tactics.
