HQ/EMEAFind out how we can help your business
Trojanised game installers have been used in a large-scale cyberattack, known as StaryDobry, to deploy cryptocurrency miners on Windows systems. Detected by Russian cybersecurity firm Kaspersky on 31 December 2024, the campaign lasted for a month and targeted both individuals and businesses worldwide.
The attackers distributed pirated versions of popular games, including BeamNG.drive, Garry’s Mod, Dyson Sphere Program, Universe Sandbox, and Plutocracy. These trojanised game installers were uploaded to torrent sites as early as September 2024, carefully crafted using Inno Setup to appear legitimate and trick users into downloading them.
Research telemetry revealed that the infections were most concentrated in Russia, Brazil, Germany, Belarus, and Kazakhstan. The attackers focused on powerful gaming machines, which are better suited for cryptocurrency mining due to their high-performance hardware.
The trojanised game installers deployed a dropper that evaded detection and collected the victim’s IP address.
The infection process was sophisticated and designed to evade detection. Once a user downloaded and launched one of the trojanised game installers, a malicious dropper file, unrar.dll, was extracted and executed. Before proceeding, the malware checked if it was running in a sandboxed or debugging environment to avoid exposure. It then attempted to gather the victim’s IP address through services like api.myip[.]com, ip-api[.]com, and ipwho[.]is. If these checks failed, the malware defaulted the location to China or Belarus for unknown reasons.
Following this, the malware fingerprinted the infected machine and deployed a modified Windows Shell Extension Thumbnail Handler to load the next stage payload. The process led to the installation of a customised version of the XMRig cryptocurrency miner, designed to run only on systems with eight or more CPU cores. The miner connected to a private mining pool server controlled by the attackers, bypassing public pools to avoid detection.
The malware was monitored for system tools like Task Manager and Process Monitor, terminating its activity if either was detected to maintain its cover.
Though the StaryDobry campaign has now ended, the threat actors remain unidentified. However, the presence of Russian language strings in the malware samples suggests a Russian-speaking group may be responsible. This attack highlights the risks of downloading trojanised game installers from unverified sources, which can lead to serious security breaches.
