Fake DPI Bypass Tools Distributing Crypto Mining Malware SilentCryptoMiner
PT FPT Metrodata Indonesia (FMI) is a joint venture between FPT IS and Metrodata Electronics, focusing on providing Cybersecurity-as-a-Service—including SOC, managed security, professional services, consulting, and threat intelligence—to support Indonesia’s rapidly growing digital economy. FMI is expanding into AI and cloud GPU services to deliver innovative protection and solutions for enterprises. Learn more at https://fmisec.com.
Summary
Kaspersky identified a large-scale malware campaign spreading a miner disguised as a tool for bypassing Deep Packet Inspection (DPI) restrictions. More than 2,000 victims in Russia have been affected. One of the infection vectors was a YouTuber with 60,000 subscribers who shared multiple videos explaining how to bypass restrictions. The description included a link to a malicious archive. These videos amassed over 400,000 views before the description was later edited, replacing the link with the message “program does not work.”
The link directed users to the malicious site gitrok[.]com, which hosted the infected archive. At the time the video was posted, the site's download counter displayed over 40,000 downloads.
Later, discussions in the tool’s original repository revealed a new distribution tactic. Attackers posing as the tool’s developers issued strikes against videos that provided instructions on bypassing restrictions. They then threatened content creators with alleged copyright violations, coercing them to upload videos containing malicious links under the threat of having their YouTube channels shut down.
Additionally, a Telegram channel was found actively distributing the malicious build, along with a video tutorial on a YouTube channel with 340,000 subscribers.
Campaign Details
The infected archives contained a modified general.bat script that executed a malicious loader, tricking victims into disabling antivirus protection. The loader, written in Python and packed with PyInstaller, retrieved the next-stage payload from hardcoded domains (canvas[.]pet or swapme[.]fun), executing it only for Russian IP addresses, indicating a targeted attack.
The next-stage loader, built using open-source Python snippets, follows several execution steps:
Anti-VM/Sandbox Checks – It scans system details (usernames, MAC addresses, HWIDs, GPU parameters, etc.) to detect virtual environments.
Defender Evasion – It adds the AppData directory to Microsoft Defender exclusions.
Payload Retrieval – It sends a GET request to hxxp://193.233.203[.]138/WjEjoHCj/t and, based on the response, either downloads an executable from hxxp://9x9o[.]com/q.txt or uses a hardcoded Base64-encoded payload. The file is saved as di.exe in %LocalAppData%\driverpatch9t1ohxw8.
Payload Modification – The executable is inflated to 690MB by appending random data, making it harder for antivirus solutions and sandboxes to analyze.
Persistence – The loader creates a system service named DrvSvc, disguising it with the description of the legitimate Windows Image Acquisition (WIA) service.
SilentCryptoMiner
The downloaded di.exe is a SilentCryptoMiner sample based on the open-source miner XMRig. This covert miner can mine multiple cryptocurrencies (ETH, ETC, XMR, RTM, and others) using various algorithms. To maintain stealth, SilentCryptoMiner employs process hollowing, injecting the miner code into dwm.exe. It can also pause mining when specified processes are active and is controlled remotely via a web panel.
The malware checks for virtual environments and verifies that the executable size falls between 680 MB and 800 MB, ensuring the previously described loader executed it. The miner's configuration includes parameters such as the mining algorithm, mining pool URL, a list of processes that trigger temporary suspension, and a remote configuration link that updates every 100 minutes.
The campaign utilizes the Pastebin service to store configuration files, with multiple accounts identified as distributing these files.
Recomendation
Avoid downloading tools from third-party sites, unverified YouTube links, or unofficial Telegram channels. Stick to official repositories like GitHub and verify the legitimacy of projects before installing.
Check the hash or digital signature of downloaded files against official sources to ensure they haven’t been tampered with.
Keep antivirus and endpoint protection solutions enabled and updated. Configure Microsoft Defender to detect threats rather than adding exclusions for directories.
Unusual CPU or GPU spikes may indicate hidden mining activity. Use Task Manager or monitoring tools to detect suspicious processes like dwm.exe consuming excessive resources.
Block known malicious domains such as gitrok[.]com, canvas[.]pet, swapme[.]fun, and associated IP addresses at the firewall or DNS level.
Regularly review system services and startup programs for unauthorized entries. The presence of unknown services like DrvSvc should be investigated.
Conclusion
This campaign demonstrates a sophisticated malware distribution strategy, leveraging social engineering, compromised content creators, and multiple infection vectors to spread a covert cryptocurrency miner. By disguising the malware as a legitimate DPI bypass tool, attackers effectively targeted users seeking to circumvent restrictions. Advanced evasion techniques, including anti-VM checks, process hollowing, and file inflation, ensured stealth and persistence. The use of Pastebin for configuration storage and remote control via a web panel further highlights the operation's adaptability. With a clear focus on Russian users, this campaign underscores the growing threat of deceptive miner infections and the need for heightened security awareness.
