{ "id": "623a3685-d830-4cc4-8300-d11bc25dd603", "created_at": "2026-04-06T00:09:53.117706Z", "updated_at": "2026-04-10T03:22:02.764019Z", "deleted_at": null, "sha1_hash": "04bd70f32eca494d912aa6384d96beb1cf56543d", "title": "XMRig CoinMiner Installed via Game Emulator - ASEC", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4513798, "plain_text": "XMRig CoinMiner Installed via Game Emulator - ASEC\r\nBy ATCP\r\nPublished: 2024-05-19 · Archived: 2026-04-05 19:51:17 UTC\r\nAhnLab SEcurity intelligence Center (ASEC) recently found that XMRig CoinMiner is being distributed through\r\na game emulator. Similar cases were introduced in previous ASEC Blog posts multiple times as shown below.\r\nOrcus RAT Being Distributed Disguised as a Hangul Word Processor Crack\r\nMonero CoinMiner Being Distributed via Webhards\r\nXMRig CoinMiner Installed via Game Hacks\r\n1. Distribution Channel\r\nThe CoinMiner was found to be distributed on a website that provides a game emulator for a well-known gaming\r\nconsole. When a user clicks the download button on the right side of the webpage, a compressed file containing\r\nthe game emulator is downloaded.\r\nhttps://asec.ahnlab.com/en/66114/\r\nPage 1 of 8\n\nSearching the game emulator on search engines shows that many blog posts introduce this emulator without\r\nrealizing that it contains malware.\r\nhttps://asec.ahnlab.com/en/66114/\r\nPage 2 of 8\n\n2. CoinMiner Installed via Game Emulator\r\nThe game emulator is downloaded as a compressed file as shown in Figure 5. Inside it is Readme.txt, which\r\ncontains the password to emulator_installer.zip and a troubleshooting guide.\r\nhttps://asec.ahnlab.com/en/66114/\r\nPage 3 of 8\n\nDecompressing emulator_installer.zip reveals an installation guide and the program to install the emulator. When\r\nthe installation file is run, a progress bar for the installation of the game emulator appears, as shown in Figure 8.\r\nHowever, the emulator is not actually being installed. In reality, a CoinMiner that exists in the resources of the\r\ninstallation file gets created.\r\nhttps://asec.ahnlab.com/en/66114/\r\nPage 4 of 8\n\nAfter the CoinMiner is created, it is executed through PowerShell commands. Afterward, it self-duplicates and\r\nadds itself to the registry and the Task Scheduler, ultimately executing the self-duplicated file to perform as a\r\nCoinMiner.\r\nSelf-duplicated File Name\r\n– “pckcache.exe”\r\nPath to Registry\r\n– Path:  HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\r\n– Value Name: Package Cache Cleaner\r\n– Value Data: C:\\Users\\[user name]\\AppData\\Roaming\\PackageCache\\pckcache.exe\r\nRegistering to Task Scheduler:\r\n– Name: Package Cache Cleaner\r\n– Trigger: When the user logs on\r\n– Task: %AppData%\\PackageCache\\pckcache.exe\r\nhttps://asec.ahnlab.com/en/66114/\r\nPage 5 of 8\n\nhttps://asec.ahnlab.com/en/66114/\r\nPage 6 of 8\n\nAs malware strains are being distributed actively via games or game emulators, users need to take caution. As\r\nsuch, caution is advised when running executables downloaded from unreliable file-sharing websites. It is\r\nrecommended that users download programs from the official websites of developers. This type of malware is\r\ndiagnosed by AhnLab as follows.\r\n[File Detection]\r\nTrojan/Win.Agent.C5623899 (2024.05.21.02)\r\nTrojan/Win.Generic.R603077 (2023.09.03.03)\r\nMD5\r\nccbd43912387346590f48944278c9d5a\r\nd029e44eb41900e78818f9666528a3c9\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nhttps://asec.ahnlab.com/en/66114/\r\nPage 7 of 8\n\nSource: https://asec.ahnlab.com/en/66114/\r\nhttps://asec.ahnlab.com/en/66114/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://asec.ahnlab.com/en/66114/" ], "report_names": [ "66114" ], "threat_actors": [], "ts_created_at": 1775434193, "ts_updated_at": 1775791322, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/04bd70f32eca494d912aa6384d96beb1cf56543d.pdf", "text": "https://archive.orkl.eu/04bd70f32eca494d912aa6384d96beb1cf56543d.txt", "img": "https://archive.orkl.eu/04bd70f32eca494d912aa6384d96beb1cf56543d.jpg" } }