XMRig Cryptojacking Surges: New Campaign Uses LOLBAS, Steals Monero Undetected

A new wave of XMRig-based cryptojacking malware is making headlines again—leveraging simple scripting, LOLBAS techniques, and stealthy persistence tactics to mine Monero (XMR) undetected on infected systems. According to a recent threat report from G DATA, the campaign emerged in early 2025, coinciding with a 45% rally in the price of Monero.

“One of the possible drivers was the rally of the Monero (XMR) cryptocoin… with a solid gain of 45% from 196 USD to 285 USD,” G DATA notes. “This spike coincided with the high-profile bitcoin theft that was subsequently converted into Monero.”

Although XMRig is an open-source tool commonly used for legitimate cryptocurrency mining, threat actors have repurposed it for illicit cryptomining—this time using a multi-stage infection chain with Living Off the Land Binaries and Scripts (LOLBAS) to avoid detection.

“What is apparent with the current XMRig threat is its multi-staged approach and use of LOLBAS techniques,” the report states, citing tools like PowerShell and Scheduled Tasks as integral to the infection routine.

The attack starts with a Windows batch file (1.cmd or S1.bat) triggered by svchost.exe. This script:

• Checks for a marker file (check.txt) in %APPDATA%\Temp
• Excludes the C:\ path from Windows Defender
• Downloads a second-stage script (S2.bat) from the domain notif[.]su
• Executes it silently and sets a Scheduled Task named “RunS2BatchScript” for persistence

“At the time it was first observed, it was newly seen in the wild with no more than five detections on VirusTotal.”

The S2.bat script doubles down on persistence and defense evasion by:

• Attempting privilege escalation
• Disabling Windows Update services like Wuauserv, BITS, and TrustedInstaller
• Setting Defender exclusions via PowerShell
• Masquerading as a legitimate nanopool mirror to download the miner

“S2.bat disables the Windows Update Service… preventing future updates to maintain persistence and avoid possible detection.”

The final payload, miner.exe, executes and installs itself as dvrctxctzmmr.exe in %APPDATA%. It:

• Adds a registry entry under HKCU\…\Run\DJKONTAH
• Drops the WinRing0 driver (djhtniluoblq.sys) for low-level access and performance tuning
• Each regional variant (e.g., eu1.exe, as.exe) behaves similarly, differing only in obfuscation keys and timestamps.

“They share the same file size, drop a copy as dvrctxctzmmr.exe… and create a registry entry named DJKONTAH.”

One of the most striking observations from G DATA’s analysis is how unsophisticated yet effective this attack is. The batch scripts were written in plain text with clear, commented instructions—potentially generated by LLMs or script kiddies.

“The scripts even had straightforward comments… indicating that it may have been created by LLMs or copied from a certain malware kit.”

Security teams should look for these indicators of compromise (IOCs):

• Suspicious connections to notif[.]su
• Files like:
  • dvrctxctzmmr.exe in %APPDATA%
  • djhtniluoblq.sys in %TEMP%
  • check.txt in %TEMP%
• Registry keys under: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DJKONTAH

“Users must also be aware of possible signs of cryptomining infection in their systems,” G DATA advises.

Related Posts:

• Hackers use Youtube server ads hijack the computer to dig Monero
• Palo Alto Firewalls Under Attack: Critical Flaw Exploited to Deploy Cryptojacking Malware
• Log4j Campaign Exploited to Deploy XMRig Cryptominer
• AMOS Stealer Reloaded: Inside a Fully Undetected macOS Data Heist
• Report: North Korea was using a malicious program to dig Monero