{
	"id": "189e6fab-17c5-43cd-9cd8-050d7feb1d98",
	"created_at": "2026-04-06T00:17:21.772426Z",
	"updated_at": "2026-04-10T13:11:52.780614Z",
	"deleted_at": null,
	"sha1_hash": "3a078ae612089cfa66763685c1565c7ba0c08ed5",
	"title": "XMRig CoinMiner Installed via Game Hacks - ASEC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2128552,
	"plain_text": "XMRig CoinMiner Installed via Game Hacks - ASEC\r\nBy ATCP\r\nPublished: 2024-01-18 · Archived: 2026-04-05 14:27:55 UTC\r\nAhnLab SEcurity intelligence Center (ASEC) recently found that XMRig CoinMiner is being distributed through game\r\nhacks. The process is similar to previously covered cases where file-sharing platforms were used to distribute XMRig\r\nCoinMiner [1] [2].\r\n1. Distribution Channel\r\nThe CoinMiner’s distribution channel was found to be a website that distributes game hacks for famous games. On this\r\nwebsite, multiple compressed files disguised as hacks for famous games are uploaded. In order to prevent the download\r\nfrom being blocked by browsers and anti-malware software, it prompts users to install the malware by detailing how to\r\ndisable the browser from blocking downloads and how to shut down anti-malware software.\r\nhttps://asec.ahnlab.com/en/60845/\r\nPage 1 of 7\n\nWhen searching for the programs in an actual gaming community, there are multiple comments from users who are aware\r\nthat these programs contain malware.\r\nhttps://asec.ahnlab.com/en/60845/\r\nPage 2 of 7\n\n2. Bypassing Detection\r\nThe uploaded compressed file has a downloader that installs the CoinMiner and malware that shuts down anti-malware\r\nsoftware. The threat actor guides the users to shut down the anti-malware software with the manual that is included in the\r\ncompressed file, making it much harder for users to be aware of the damage caused by malicious activities.\r\nhttps://asec.ahnlab.com/en/60845/\r\nPage 3 of 7\n\nThe program used to shut down the anti-malware software is the Windows Defender management program dControl.exe,\r\nwhich disabled Windows Defender.\r\n3. CoinMiner Installed via Downloader\r\nWhen the preparation to execute the CoinMiner is complete, the CoinMiner is downloaded through loader.exe. The initial\r\ndownloader is a program made with AutoHotkey, and it installs and executes the CoinMiner in the ‘%temp%\\’ folder path.\r\nhttps://asec.ahnlab.com/en/60845/\r\nPage 4 of 7\n\nThe executed CoinMiner uses PowerShell to disable Windows Defender from scanning .exe extensions in the ‘ProgramData’\r\npath and removes Windows Malicious Software Removal Tool (MSRT) update, Windows Update, and other similar\r\nservices. It also attempts to bypass detection by editing the hosts file.\r\nAt the same time, it replicates itself in the %ProgramData%\\Google\\Chrome path with the file name updater.exe and\r\nmaintains persistence by registering with the service name GoogleUpdateFile.\r\nAdd-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension ‘.exe’ -Force\r\ncmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart\r\nsc.exe stop UsoSvc\r\nsc.exe stop WaaSMedicSvc\r\nsc.exe stop wuauserv\r\nsc.exe stop bits\r\nsc.exe stop dosvc\r\nsc.exe create “GoogleUpdateFile” binpath=”C:\\ProgramData\\Google\\Chrome\\Updater.exe” start=”auto”\r\nhttps://asec.ahnlab.com/en/60845/\r\nPage 5 of 7\n\nid : zajpavgygytczlbw\r\nwallet :\r\n4824qBU4jPi1LKMjUrkC6qLyWJmnrFRqXU42yZ3tUT67iYgrFTsXbMmiupfC2EXTqDCjHrjtUR8oHVEsdSF2DErrCipV5\r\nMining pool : xmr.2miners[.]com:12222\r\ncinit-stealth-targets : Taskmgr.exe,ProcessHacker.exe,perfmon.exe,procexp.exe,procexp64.exe\r\n4. Conclusion\r\nAs malware is being distributed actively via games or game hacks, users need to take caution. As for game hacks, there is a\r\npotential risk of getting infected by other malware apart from the CoinMiner introduced in this blog post, as the user needs\r\nto periodically execute a downloader like loader.exe. As such, caution is advised when running executables downloaded\r\nfrom unreliable file-sharing websites. It is recommended to download programs such as utilities and games from the official\r\nwebsites. This type of malware is diagnosed by AhnLab as follows.\r\n[File Detection]\r\nDownloader/Win.Agent.C5574989 (2024.01.16.03)\r\nhttps://asec.ahnlab.com/en/60845/\r\nPage 6 of 7\n\nCoinMiner/Win.Agent.C5574932 (2024.01.16.02)\r\nHackTool/Win.DefenderControl.R443408 (2021.10.07.03)\r\n[Behavior Detection]\r\nExecution/MDP.Cmd.M4789\r\nMD5\r\n58008524a6473bdf86c1040a9a9e39c3\r\n7698fe6bd502a5824ca65b6b40cf6d65\r\ndb98d8d6c08965e586103b307f4392fb\r\nAdditional IOCs are available on AhnLab TIP.\r\nSHA2\r\n66ae5a48329d7c237b8bd6d0506d4feb9c1e14281e918d8f2057bd0694a06ad2\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttps[:]//cdn[.]discordapp[.]com/attachments/1195976176963948674/1195992986664829008/dupdate[.]exe?\r\nex=65b60244\u0026is=65a38d44\u0026hm=66ae5a48329d7c237b8bd6d0506d4feb9c1e14281e918d8f2057bd0694a06ad2\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner\r\nbelow.\r\nSource: https://asec.ahnlab.com/en/60845/\r\nhttps://asec.ahnlab.com/en/60845/\r\nPage 7 of 7\n\n   https://asec.ahnlab.com/en/60845/   \nThe program used to shut down the anti-malware software is the Windows Defender management program dControl.exe,\nwhich disabled Windows Defender.     \n3. CoinMiner Installed via Downloader    \nWhen the preparation to execute the CoinMiner is complete, the CoinMiner is downloaded through loader.exe. The initial\ndownloader is a program made with AutoHotkey, and it installs and executes the CoinMiner in the ‘%temp%\\’ folder path.\n   Page 4 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://asec.ahnlab.com/en/60845/"
	],
	"report_names": [
		"60845"
	],
	"threat_actors": [],
	"ts_created_at": 1775434641,
	"ts_updated_at": 1775826712,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3a078ae612089cfa66763685c1565c7ba0c08ed5.pdf",
		"text": "https://archive.orkl.eu/3a078ae612089cfa66763685c1565c7ba0c08ed5.txt",
		"img": "https://archive.orkl.eu/3a078ae612089cfa66763685c1565c7ba0c08ed5.jpg"
	}
}