XMRig-Based Cryptomining Malware Uses LOLBAS and Disables Windows Updates to Evade Detection
July 10th, 2025
Severity Level: High
Technical Details
Malware Family: XMRig (Monero miner).
Threat Level: High.
Initial Vector: Unknown; likely delivered via drive-by downloads, cracked software, or phishing attachments.
Targeted Systems: VMware ESXi hypervisors, Linux systems.
Key Actions:
Executes batch script (S2.bat) via 1.cmd wrapper.
Disables critical update services: wuauserv, UsoSvc, BITS, WaaSMedicSvc.
Uses PowerShell to exclude the entire C:\ drive from Windows Defender scanning.
Drops a renamed XMRig miner (e.g., dvrctxctzmmr.exe).
Creates persistence through the Registry. (HKCU\Software\Microsoft\Windows\CurrentVersion\Run\DJKONTAH).
Installs kernel-mode driver (djhtniluoblq.sys) under %TEMP%.
Connects to Monero mining pools such as notif[.]su, using region-specific nodes (e.g., eu1.exe, in1.exe).
Our Cyber Threat Intelligence Unit has identified a recent surge in cryptojacking activity associated with an advanced XMRig-based malware campaign. This campaign employs multiple Windows evasion techniques, such as disabling update services and scheduled tasks, to covertly mine Monero (XMR) on compromised systems. The malware is designed to establish persistence, evade detection, and leverage system resources over extended periods without the user's knowledge. The campaign utilizes LOLBAS (Living-Off-the-Land Binaries and Scripts) tactics and PowerShell commands to modify core OS behaviors. This specific crypto-miner not only diminishes system performance but also weakens endpoint defenses by permanently disabling security services. This threat highlights a growing trend in which attackers use stealthy cryptojacking campaigns to exploit idle system resources and compromise endpoint security in conjunction, increasing system vulnerability to additional malware. Its persistence methods and substantial resource usage can interfere with IT operations in enterprise environments, especially if it remains undetected for extended periods.
Impact
Immediate system resource abuse causes CPU throttling and reduced performance.
Critical Windows update functions are disabled, leaving endpoints vulnerable to other malware.
Antivirus and EDR tools become less effective due to exclusions and service tampering.
Long-term persistence is maintained through registry modifications and scheduled tasks, enabling extended unauthorized operation.
System-level drivers may be exploited for deeper access or lateral movement.
Although not immediately destructive, the stealth and persistence of this crypto-miner can significantly compromise operational integrity, security posture, and IT resource availability.
Detection Method
Check system services: Audit the status of wuauserv, UsoSvc, BITS, and related update services.
Inspect Windows Defender exclusions: Look for full-disk exclusions (especially C:\) set via PowerShell.
Monitor process behavior: Identify high CPU usage from unfamiliar executables with random names.
Review autoruns and Registry keys: Flag entries under HKCU\...\Run\DJKONTAH or similar.
Scan for unknown drivers: Search for suspicious .sys files under %TEMP% or other uncommon locations.
Analyze network traffic: Detect communication to mining domains like notif[.]su, or known pool nodes.
Indicators of Compromise
Type | Indicator |
Domain | notif.su |
SHA256 Hash
| a57688c151a42d8a2b78f72d23ae7e6c2d6a458edd50f0a4649cc630614763b0 |
SHA256 Hash
| 3acf8d410f30186a800d5e8c3b0b061a6faf7c0939b129d230de42e9034ce6c3 |
SHA256 Hash | f4386aaa87c922d5d7db28d808ad6471b1c4deb95d82a9e6cfe8421196c5610b |
Recommendations
Re-enable and safeguard update services: Monitor and audit key services to prevent unauthorized stoppages.
Regularly audit AV exclusions: Prohibit full-disk exclusions and monitor PowerShell misuse.
Scan for unknown drivers and executables: Use EDR tools to identify uncommon .exe and .sys files.
Block outbound traffic to known mining pools and suspicious domains.
Implement file integrity monitoring (FIM) to detect unauthorized modifications in system directories.
Educate users on phishing, cracked software, and drive-by download dangers.
Enable PowerShell logging and command-line auditing to identify malicious script activity.
Limit admin privileges where possible to prevent misuse of registry and service configurations.
Conclusion
The XMRig malware campaign demonstrates a high level of operational stealth. By disabling updates, blocking AV scans, and maintaining long-term persistence, it turns infected endpoints into silent crypto-miners. This impacts the performance, security, and control of endpoints within an organization. The deliberate disabling of Windows update mechanisms and abuse of trusted administrative tools reflect a shift in how cryptojacking has evolved from sporadic attacks to persistent and adaptable threats. If left unchecked, such activity not only reduces productivity but also creates opportunities for more damage in the future.
Organizations and administrators must respond promptly by restoring disabled services, removing persistent mechanisms, and strengthening system monitoring. As cryptojacking becomes more evasive, proactive hygiene, behavioral detection, and continuous threat monitoring are crucial for protection against similar future campaigns.