A sophisticated cryptocurrency mining operation, dubbed StaryDobry, has been discovered targeting gaming enthusiasts worldwide through trojanized game installers. The campaign, detected by Kaspersky on December 31, 2024, primarily affected users in Russia, Brazil, Germany, Belarus, and Kazakhstan.

The attackers strategically chose popular simulator and physics games, including BeamNG.drive, Garry’s Mod, and Dyson Sphere Program, as their distribution vector. These games were selected specifically to target high-performance gaming computers capable of efficient mining operations.

The infection chain begins when users download compromised game installers from torrent sites. The malware employs advanced evasion techniques, including environment checks and geolocation verification. It then deploys multiple stages of payloads, ultimately installing a modified version of the XMRig cryptocurrency miner.

Key Technical Details:
– The malware only activates on systems with 8 or more CPU cores
– Uses custom mining pool infrastructure instead of public pools
– Implements anti-detection measures against task manager and process monitoring tools
– Utilizes Windows Shell Extension functionality for persistence

The campaign’s sophistication suggests careful planning, with initial deployment traced back to September 2024. While the threat actor remains unidentified, Russian language strings in the malware code suggest possible Russian-speaking origins.

The operation specifically targeted gaming systems due to their powerful hardware configurations, making them ideal for cryptocurrency mining operations while remaining undetected through sophisticated evasion techniques.