Cryptojacking Campaign Exploits Driver to Boost Monero Mining

Feb. 18, 2026, 7:40 p.m.

Description

A sophisticated cryptojacking campaign has been discovered, spreading through pirated software installers. The operation utilizes a customized XMRig miner and a controller component for long-term system access. Unlike browser-based schemes, this campaign deploys system-level malware using deceptive installers masquerading as office software. The modular design enhances resilience, with multiple watchdog processes for persistence. A notable feature is the exploitation of a vulnerable signed driver (CVE-2020-14979) to gain kernel-level access, boosting Monero mining performance by 15% to 50%. The campaign connects to the Kryptex mining pool and uses a Monero wallet for payouts. Organizations are advised to enable Microsoft's vulnerable driver blocklist and implement other protective measures.

External References

https://www.infosecurity-magazine.com/news/cryptojacking-driver-boost-monero
https://otx.alienvault.com/pulse/6995edd428d58a7ab0d74baa
Tags
xmrig
persistence
cryptojacking
stealth
driver vulnerability
2026-02-18
CVE-2020-14979
kernel exploit
monero mining
pirated software

Date

  • Created: Feb. 18, 2026, 4:50 p.m.
  • Published: Feb. 18, 2026, 4:50 p.m.
  • Modified: Feb. 18, 2026, 7:40 p.m.

Indicators

  • http://xmr-sg.kryptex.network:8029
Download all indicators here!

Attack Patterns

  • XMRig

Additional Informations

  • xmr-sg.kryptex.network

Linked vulnerabilities

CVE-2020-14979

None
Published: