cryptojacking Archives

Tech Optimizer

March 16, 2026

What Is a Crypto Miner Virus?

A crypto miner virus, or cryptojacking malware, secretly uses a device’s CPU or GPU to mine cryptocurrency for an attacker, leading to increased electricity costs and potential hardware damage for the victim. It typically infects devices through phishing emails, pirated software, compromised websites, and malicious browser extensions. Monero is the preferred cryptocurrency for mining due to its efficiency on standard CPUs and privacy features. Signs of infection include overheating, high CPU usage, and increased electricity bills. Detection involves monitoring system performance and running antivirus scans. Prevention includes using antivirus software, keeping systems updated, and avoiding pirated software. Notable incidents include attacks on a European water utility and the Los Angeles Times website.

Tech Optimizer

January 30, 2026

Bitdefender vs McAfee

Bitdefender and McAfee are both established antivirus solutions that achieve similar lab test scores, often earning 18 points in assessments by AV-Test and AV-Comparatives. Bitdefender offers a more economical pricing structure, with its Antivirus Plus plan priced between .99 and .99 per year for three devices, while McAfee's plans start at .99 for one device. In real-world malware protection tests, Bitdefender achieved a 99.8% protection rate, compared to McAfee's 99.3%. McAfee includes firewall protection at the antivirus level, while Bitdefender reserves its firewall for higher-tier plans but offers better exploit protection. Bitdefender successfully thwarted 11 out of 12 ransomware attacks in controlled tests, while McAfee's ransomware protection is less reliable. Both offer limited VPN services, with Bitdefender providing 200MB per day and McAfee offering between 250MB and 500MB per month. McAfee completes scans more quickly but uses more CPU, while Bitdefender is more thorough. Bitdefender includes additional security features like anti-tracker and secure browser, whereas McAfee's features are more limited.

Tech Optimizer

November 12, 2025

Kaspersky Antivirus is Now Available for Linux. Will You Use it?

The Linux ecosystem is facing increased threats from sophisticated cybercriminals targeting critical infrastructure. Kaspersky, a Russian cybersecurity firm, has launched antivirus protection specifically for home Linux users following a ban on its products in the U.S. as of July 2024. This marks the first time Kaspersky's home user products officially support Linux, with compatibility for major 64-bit distributions like Debian, Ubuntu, Fedora, and RED OS. The software includes features such as real-time monitoring, behavioral analysis, automatic scanning of removable media, anti-phishing alerts, online payment protection, anti-cryptojacking capabilities, and AI-powered scanning. However, Kaspersky for Linux is not GDPR-ready, which may concern EU users regarding data protection compliance. Users need an active paid subscription to download the software, but a 30-day free trial is available. Installation is straightforward, with DEB and RPM packages provided.

Tech Optimizer

October 6, 2025

Ransomware Gangs Exploit Remote Access Tools to Stay Hidden and Maintain Control

Modern ransomware operations have evolved into complex, multi-stage campaigns that utilize legitimate Remote Access Tools (RATs) to maintain stealth and persistently dismantle organizational defenses. Ransomware encrypts critical data and demands ransom for restoration, with current operations being highly targeted compared to earlier mass phishing attacks. Attackers exploit trusted administrative software like AnyDesk, UltraViewer, RustDesk, and Splashtop to establish backdoors, escalate privileges, and deploy payloads across networks, moving laterally and evading detection. The ransomware kill chain consists of several stages: 1. Initial Access: Attackers gain access through credential compromise, often targeting administrator accounts. 2. Remote Tool Abuse: Attackers deploy RATs either by hijacking existing tools or performing silent installations. 3. Persistence & Privilege Consolidation: They maintain persistence using registry keys and scheduled tasks while escalating privileges. 4. Antivirus Neutralization & Anti-Forensics: Attackers stop antivirus services, manipulate policies, and clear logs to evade detection. 5. Payload Deployment & Execution: Ransomware is delivered and executed within remote sessions to avoid suspicion. Commonly abused RATs include AnyDesk, UltraViewer, AppAnywhere, RustDesk, Splashtop, and TightVNC, which have been associated with various ransomware campaigns. Understanding the tactics and techniques used by adversaries is crucial for effective defense, as they exploit legitimate tools to bypass security measures. Emerging trends include AI-driven RAT deployment, cloud-based RAT abuse, and the integration of RATs in ransomware-as-a-service offerings. A comprehensive defense strategy involves multiple layers of security, including virus protection, behavior-based detection, and application control, to counter the risks posed by RAT abuse in ransomware attacks.

Tech Optimizer

September 5, 2025

New Malware Exploits Windows Character Map to Evade Defender and Mine Crypto

Darktrace's autonomous detection system identified suspicious activity when a desktop initiated an unusual HTTP connection using a PowerShell user agent. The attack began with the download of a PowerShell script named “infect.ps1” from the IP address 45.141.87[.]195:8000, which dropped both legitimate and malicious binaries into the user’s AppData directory, including a signed version of AutoIt.exe and various encoded payloads. The attackers exploited Windows’ built-in Character Map (charmap.exe) to inject the miner code into its process space, evading antivirus detection. The loader performed checks for task manager presence, user privileges, and antivirus software, and bypassed User Account Control prompts. Once activated, the cryptominer operated discreetly, connecting to external mining pools like asia.ravenminer.com and monerooceans[.]stream. The malware was designed for persistence, re-downloading itself if terminated. Darktrace monitored the infected device, noting DNS requests and connections to Monero mining endpoints, which triggered high-fidelity alerts. Darktrace's Rapid Autonomous Response blocked the device’s outbound communications, preventing the malware from connecting to the mining pool and stopping over 130 attempted calls to external endpoints. The malware exhibited significant obfuscation, utilized legitimate binaries for side-loading, manipulated registry keys for persistence, and injected processes into trusted Windows applications. The incident underscores the threat posed by adaptive cryptojacking malware, which can drain productivity and inflate energy costs. Darktrace's AI-driven detection intercepted the attack early, mapping the kill chain and enabling rapid mitigation. Indicators of Compromise (IoCs) include: - 45.141.87[.]195:8000/infect.ps1 – Malicious PowerShell script - gulf.moneroocean[.]stream – Monero Endpoint - monerooceans[.]stream – Monero Endpoint - 152.53.121[.]6:10001 – Monero Endpoint - 152.53.121[.]6 – Monero Endpoint - https://api[.]chimera-hosting[.]zip/frfnhis/zdpaGgLMav/nbminer[.]exe – NBMiner executable - Db3534826b4f4dfd9f4a0de78e225ebb – NBMiner loader hash

AppWizard

August 5, 2025

New Android Malware Poses as SBI Card and Axis Bank Apps to Steal Financial Data

McAfee’s Mobile Research Team has identified a malware campaign targeting Android users in India, specifically Hindi speakers. The malware disguises itself as legitimate financial applications from banks like SBI Card, Axis Bank, and IndusInd Bank. It is distributed through phishing websites that mimic official banking portals and uses authentic assets to appear credible. The malware has dual functionality: it exfiltrates personal and financial data and mines Monero cryptocurrency using the XMRig tool, activated remotely via Firebase Cloud Messaging (FCM). It masquerades as a Google Play update, prompting users to install it, which leads to data theft. Upon installation, the malware presents a fake Google Play interface and requests sensitive information, which is sent to a command-and-control server. After data submission, users see a misleading confirmation page. The malware employs a multi-stage dropper to evade detection, with remote activation capabilities that keep it dormant until triggered. Phishing sites promote the malicious APK through SMS, WhatsApp, or social media. McAfee has reported these threats to Google, resulting in the blocking of the associated FCM account. All variants are classified as high-risk, with infections primarily in India but some in other regions. Users are advised to download apps only from Google Play and to be cautious with unsolicited links. Indicators of Compromise (IOCs) include specific APKs for various credit cards and phishing site URLs related to the campaign.