Cybercriminals have launched a deceptive blackmail campaign targeting YouTube content creators, coercing them into unknowingly distributing crypto-mining malware to their audiences.
According to a new report from cybersecurity firm Kaspersky, attackers manipulate YouTubers through false copyright claims, forcing them to embed harmful links in their video descriptions.
The scheme takes advantage of the rising popularity of Windows Packet Divert (WPD) drivers, particularly in Russia, where they are frequently used to bypass internet restrictions.
Many YouTubers produce step-by-step tutorials on installing WPD drivers, creating a perfect opportunity for attackers to infiltrate video descriptions with malware-infected links.
How the Blackmail Unfolds
The attackers trick YouTubers into inserting links that lead to SilentCryptoMiner, a stealthy crypto-mining malware. Based on XMRig, an open-source mining tool, SilentCryptoMiner hijacks the victim’s computer power to mine cryptocurrencies like Ethereum (ETH), Ethereum Classic (ETC), Ravencoin (RVN), and Monero (XMR). It uses an advanced technique called process hollowing, allowing it to run in the background undetected while draining system resources.
Kaspersky’s investigation revealed that a YouTube creator with 60,000 subscribers was successfully blackmailed into sharing a malicious link. The infected video, which gained over 400,000 views, contained a download link to an infected archive instead of the legitimate software it promised. More than 40,000 users downloaded the compromised file, exposing thousands to covert crypto-mining activities
“According to our telemetry, the malware campaign has affected more than 2,000 victims in Russia, but the overall figure could be much higher,” Kaspersky said.
The Malware: SilentCryptoMiner
Once executed, the first-stage malware loader—a Python-based script—is launched via PowerShell, using a modified batch file named “general.bat”. If an antivirus program detects and blocks the process, the victim is tricked into disabling their security software by displaying a “file not found” error message, instructing users to turn off antivirus protection and re-download the infected file.
The second-stage payload is engineered to only activate on Russian IP addresses, further reducing the risk of detection by global cybersecurity networks. To evade antivirus analysis, this payload is artificially bloated to 690 MB and includes anti-sandbox and virtual machine detection mechanisms, preventing security researchers from easily analyzing it.
Once installed, the malware aggressively disables Microsoft Defender protections by creating an exclusion rule, ensuring that future security scans overlook its presence. It then establishes a persistent Windows service named “DrvSvc”, allowing it to survive system reboots and remain operational for extended periods.
The final payload—SilentCryptoMiner, a modified version of the popular XMRig crypto-miner—is deployed. This stealthy miner hijacks the victim’s computing resources to mine multiple cryptocurrencies, including Ethereum (ETH), Ethereum Classic (ETC), Monero (XMR), and Raptoreum (RTM). To avoid static detection, the malware dynamically fetches remote configuration files from Pastebin every 100 minutes, allowing the attacker to alter settings or deploy new instructions in real-time.
Similar Trends in Cyber Threats
The use of crypto-mining malware is not a new phenomenon but continues to adapt to current digital trends:
- Torrent-Based Distribution: Cybercriminals have previously embedded XMRig miners in pirated software distributed via torrent sites, targeting both individual and corporate users.
- Social Media Platforms: Attackers exploit social media platforms to disseminate malware, taking advantage of the wide reach and trust established by influencers.
Quick Facts:
- Cybercriminals are coercing YouTube creators into distributing SilentCryptoMiner, a stealthy crypto-mining malware, by filing false copyright claims.
- The attack primarily targets Russian users by exploiting the popularity of Windows Packet Divert (WPD) drivers, which help bypass internet restrictions.
- SilentCryptoMiner is based on XMRig and mines Ethereum (ETH), Ethereum Classic (ETC), Ravencoin (RVN), and Monero (XMR) while remaining undetected using process hollowing techniques.
- A YouTuber with 60,000 subscribers unknowingly shared an infected link, leading to 400,000 video views and over 40,000 malware downloads.
