{"id":9646,"date":"2025-09-03T12:23:03","date_gmt":"2025-09-03T12:23:03","guid":{"rendered":"https:\/\/bitunikey.com\/news\/darktrace-flags-new-cryptojacking-campaign-able-to-bypass-windows-defender\/"},"modified":"2025-09-03T12:23:08","modified_gmt":"2025-09-03T12:23:08","slug":"darktrace-flags-new-cryptojacking-campaign-able-to-bypass-windows-defender","status":"publish","type":"post","link":"https:\/\/bitunikey.com\/news\/darktrace-flags-new-cryptojacking-campaign-able-to-bypass-windows-defender\/","title":{"rendered":"Darktrace flags new cryptojacking campaign able to bypass Windows Defender"},"content":{"rendered":"

<\/p>\n

\n

Cybersecurity firm Darktrace has identified a new cryptojacking campaign designed to bypass Windows Defender and deploy a crypto mining software.<\/p>\n

\n
\n Summary<\/span>\n <\/div>\n
\n
    \n
  • Darktrace has identified a cryptojacking campaign that targets Windows systems.<\/li>\n
  • The campaign involves stealthily deploying the NBminer to mine cryptocurrencies.<\/li>\n<\/ul><\/div>\n<\/div>\n

    <\/p>\n

    The cryptojacking campaign, first identified in late July, involves a multi-stage infection chain that quietly hijacks a computer\u2019s processing power to mine cryptocurrency, Darktrace researchers Keanna Grelicha and Tara Gould explained in a report shared with crypto.news.<\/p>\n

    According to the researchers, the campaign specifically targets Windows-based systems by exploiting PowerShell, Microsoft\u2019s built-in command-line shell and scripting language, through which bad actors are able to run malicious scripts and gain privileged access to the host system.<\/p>\n

    These malicious scripts are designed to run directly on system memory (RAM) and, as a result, traditional antivirus tools that typically rely on scanning files on a system\u2019s hard drives are unable to detect the malicious process.<\/p>\n

    Subsequently, attackers use the AutoIt programming language, which is a Windows tool typically used by IT professionals to automate tasks, to inject a malicious loader into a legitimate Windows process, which then downloads and executes a cryptocurrency mining program without leaving obvious traces on the system.<\/p>\n

    <\/p>\n

    As an added line of defense, the loader is programmed to perform a series of environment checks, such as scanning for signs of a sandbox environment and inspecting the host for installed antivirus products.<\/p>\n

    Execution only proceeds if Windows Defender is the sole active protection. Further, if the infected user account lacks administrative privileges, the program attempts a User Account Control bypass to gain elevated access.<\/p>\n

    When these conditions are met, the program downloads and executes the NBMiner, a well-known crypto mining tool that uses a computer\u2019s graphics processing unit to mine cryptocurrencies such as Ravencoin (RVN) and Monero (XMR).<\/p>\n

    In this instance, Darktrace was able to contain the attack using its Autonomous Response system by \u201cpreventing\u00a0 the device from making outbound connections and blocking specific connections to suspicious endpoints.\u201d<\/p>\n

    \u201cAs cryptocurrency continues to grow in popularity, as seen with the ongoing high valuation of the global cryptocurrency market capitalization (almost USD 4 trillion at time of writing), threat actors will continue to view cryptomining as a profitable venture,\u201d Darktrace researchers wrote.<\/p>\n

    Cryptojacking campaigns via social engineering<\/h1>\n

    Back in July, Darktrace flagged a separate campaign where bad actors were using complex social engineering tactics, such as impersonating real companies, to trick users into downloading altered software that deploys crypto-stealing malware.<\/p>\n

    Unlike the aforementioned cryptojacking scheme, this approach targeted both Windows and macOS systems and was executed by unaware victims themselves who believed they were interacting with company insiders.\u00a0<\/p>\n

    <\/p><\/div>\n","protected":false},"excerpt":{"rendered":"

    Cybersecurity firm Darktrace has identified a new cryptojacking campaign designed to bypass Windows Defender and deploy a crypto mining software. Summary Darktrace has identified a cryptojacking campaign that targets Windows…<\/p>\n","protected":false},"author":1,"featured_media":9086,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-9646","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cryptocurrency"],"_links":{"self":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/9646","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/comments?post=9646"}],"version-history":[{"count":1,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/9646\/revisions"}],"predecessor-version":[{"id":9647,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/9646\/revisions\/9647"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/media\/9086"}],"wp:attachment":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/media?parent=9646"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/categories?post=9646"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/tags?post=9646"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}