Silent Cryptojacking Campaign Disguised as Non-Profit Software Drains Victims’ PCs
scsecApril 10, 20261 Mins read 
A cybercriminal group has been quietly exploiting unsuspecting users by disguising malware as legitimate software from a supposed non-profit development team. The operation, active since at least late 2023, focuses on long-term gains rather than quick attacks, allowing the malware to remain hidden on infected systems for extended periods.
The scheme begins with a deceptive download, often delivered as an ISO file. Inside, victims find a ReadMe file that uses social engineering to build trust. It claims the software is created by a small non-profit group that cannot afford official Windows certificates and instructs users to bypass security warnings like SmartScreen by selecting “More Info” and “Run Anyway.” This tactic effectively lowers user suspicion and encourages manual override of built-in protections.
Instead of installing legitimate software, the file deploys multiple malicious components, including remote access tools and a cryptomining program. These tools allow attackers to control infected systems, update malware remotely, access files, and exploit the device’s processing power for cryptocurrency mining.
What makes this attack particularly effective is its ability to evade detection. The malware actively monitors the system for dozens of security and diagnostic tools. If a user opens anything from basic system utilities to advanced network analyzers, the mining activity immediately stops, restoring normal system performance. This creates the illusion that nothing is wrong. Once the tool is closed, the mining operation resumes silently in the background.
The attackers profit in two main ways. First, they hijack system resources to mine cryptocurrency, using specialized drivers to gain deeper access to hardware and improve mining efficiency. Analysis of related wallets shows that the operation has already generated thousands of dollars in digital currency. Second, victims are funneled into fraudulent “cost per action” schemes, where they are prompted to complete surveys or sign up for services to unlock software features. Each action generates revenue for the attackers.
To further avoid detection and shutdown, the group relies on trusted hosting platforms to distribute their malicious files and uses strong encryption to secure communications between infected machines and their control servers. This makes it significantly harder for security researchers to disrupt the operation.
Overall, this campaign highlights a growing trend in cybercrime: combining social engineering with stealthy, persistent malware to create reliable and low-risk income streams for attackers, all while remaining largely invisible to victims.
1 Comment
Leave a Reply to scsec Cancel reply
Related Articles
Fake Crypto Recruiters Infect Developers with RAT-Laced Coding Challenges in Lazarus-Linked Campaign
A new wave of fake recruiter campaigns attributed to North Korean threat...
First-Ever Crypto Wallet Stealer Discovered on the Apple App Store, 242,000+ Downloads on Google Play Store
Crypto-Stealing Apps Discovered on Apple App Store for the First Time Security...
“Crypto mixer Shutdown: How Law Enforcement Hit Back at Crypto Money Laundering”
Authorities from Switzerland and Germany, with support from Europol and Eurojust, have...
Samourai Wallet Founders Sentenced for Laundering $237 Million
The co-founders of the Samourai Wallet cryptocurrency-mixer service have been sentenced to...
This is a concerning example of how attackers are evolving their tactics by blending social engineering with highly persistent malware. The use of a “non-profit” narrative to bypass user suspicion is particularly clever and highlights the importance of never ignoring security warnings. Users should avoid downloading software from unverified sources and always be cautious when asked to override built-in protections like SmartScreen. Staying vigilant is key to preventing such silent and long-term infections.