A widespread cyberattack campaign, dubbed StaryDobry, is targeting users searching for popular game downloads by deploying a trojanized installer that delivers a cryptocurrency miner onto Windows systems. The large-scale operation, first identified by Russian cybersecurity firm Kaspersky on December 31, 2024, continued for a month, affecting individuals and businesses globally.
StaryDobry: A Global Threat Targeting Gaming PCs
Kaspersky's telemetry indicates that the highest infection rates have been observed in Russia, Brazil, Germany, Belarus, and Kazakhstan. By specifically targeting high-performance gaming machines, the attackers optimize their cryptojacking operation, ensuring sustained mining activity.
"This method allowed the threat actors to maximize the efficiency of their miner implant by leveraging the processing power of gaming PCs," noted Kaspersky researchers Tatyana Shishkova and Kirill Korchemny in their analysis.
XMRig Miner Delivered via Infected Game Installers
The StaryDobry campaign utilizes popular simulation and physics-based games, including:
BeamNG.drive
Garry's Mod
Dyson Sphere Program
Universe Sandbox
Plutocracy
These game installers were compromised and distributed via torrent sites in September 2024, suggesting that the attackers meticulously planned the operation.
Malware Execution Process
Users who download these infected "repacks" encounter a standard game installation screen. However, during the setup, a malicious dropper file (unrar.dll) is extracted and executed.
The DLL file first conducts security checks to evade debugging or sandboxed environments. If the conditions are safe, it collects the victim's IP address using services such as:
api.myip[.]com
ip-api[.]com
ipwho[.]is
If the IP check fails, the malware defaults the victim’s location to China or Belarus for unknown reasons.
Deep System Infiltration and Cryptojacking Setup
After gathering system information, the malware decrypts another payload (MTX64.exe) and writes it as Windows.Graphics.ThumbnailHandler.dll inside the %SystemRoot% or %SystemRoot%\Sysnative folder. This executable modifies the Windows Shell Extension Thumbnail Handler to deploy the next stage of the attack.
Final Payload Deployment and Evasion Tactics
The decrypted malware extracts an encrypted component and saves it as Unix.Directory.IconHandler.dll inside the folder:
%appdata\Roaming\Microsoft\Credentials\%InstallDate%\This DLL file connects to a remote command-and-control (C2) server to download the final-stage miner implant.
The malware constantly monitors for system utilities like
taskmgr.exeandprocmon.exe. If detected, the miner process is terminated to evade detection.
XMRig Miner: Exploiting CPU Resources for Cryptojacking
The campaign deploys a modified XMRig cryptocurrency miner, configured with predefined command-line parameters to optimize mining efficiency.
Key Characteristics of the XMRig Miner in StaryDobry:
Only activates on CPUs with 8 or more cores to maximize profit.
Uses a private mining pool server instead of public mining pools.
Continuously monitors for process monitoring tools and shuts down if detected.
Attribution: Is StaryDobry Linked to Russian Cybercriminals?
While no conclusive evidence links StaryDobry to any known cybercrime groups, the presence of Russian language strings in the malware samples suggests a Russian-speaking threat actor may be responsible.
How to Protect Against StaryDobry Malware
To avoid falling victim to trojanized game installers, users should:
Download games only from official sources (Steam, Epic Games, etc.).
Avoid torrent sites distributing cracked or repacked software.
Use reliable security software that detects and blocks malware.
Monitor system performance for unexpected spikes in CPU usage.
Regularly update Windows and security patches to prevent exploitation.
Final Thoughts
The StaryDobry cryptojacking campaign is a highly sophisticated cyberattack that leverages gaming communities to infiltrate Windows machines. By evading security measures and executing stealthy cryptomining operations, the attackers maximize financial gains while minimizing detection.
Cybersecurity awareness and proactive defense strategies remain critical to mitigating such threats. Stay vigilant, and always prioritize safe downloading practices to keep your system secure.