Experts from Kaspersky GReAT, operating within the Global Research and Analysis Team at Kaspersky Lab, have identified a new scheme employed by cybercriminals. These individuals have been disseminating malicious software via torrent trackers, disguising it as free versions of popular computer games. As a result of this infection, a modified version of the XMRig cryptocurrency miner was downloaded onto users’ devices.
Timeline of the Attack
According to the experts, the distribution of this malware began on December 31, 2024, and continued until the end of January 2025. Analysis revealed that the first infected files appeared on torrent sites as early as the previous autumn. Researchers speculate that the perpetrators may resume their activities in the near future. Affected countries include Russia, Belarus, Kazakhstan, Brazil, and Germany.
Impact of the Malware
The XMRig miner exploits the computational power of infected devices to mine cryptocurrency, primarily Monero. Cybercriminals embedded malicious code into files associated with popular simulation games such as BeamNG.drive, Dyson Sphere Program, Universe Sandbox, Plutocracy, and the sandbox game Garry’s Mod. Notably, Kaspersky Lab reported that a significant 70.5% of users encountered infected versions of BeamNG.drive.
Upon installation of the infected file, users could launch the game without any immediate indication of the hidden miner. However, this would lead to overheating of the computer, decreased performance, and even the risk of hardware failure. Additionally, the operation of the miner significantly increases electricity consumption.
Insights from Kaspersky
Tatyana Shishkova, a leading expert at Kaspersky GReAT, noted that the timing of this malicious campaign likely coincided with the holiday season, a period when users are less vigilant about security and the demand for games surges.
She emphasized that the choice of gaming applications was not arbitrary—such devices typically possess high performance, making them ideal candidates for covert mining activities. Shishkova also suggested that the attack might be orchestrated by an unknown hacker group. She highlighted that malicious miners could be part of more complex threats and advised users to refrain from downloading software from unreliable sources.
