{"id":2358,"date":"2025-08-19T00:57:55","date_gmt":"2025-08-19T00:57:55","guid":{"rendered":"http:\/\/ft365.org\/index.php\/2025\/08\/19\/usb-malware-campaign-spreads-cryptominer-worldwide\/"},"modified":"2025-08-19T00:57:55","modified_gmt":"2025-08-19T00:57:55","slug":"usb-malware-campaign-spreads-cryptominer-worldwide","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2025\/08\/19\/usb-malware-campaign-spreads-cryptominer-worldwide\/","title":{"rendered":"USB Malware Campaign Spreads Cryptominer Worldwide"},"content":{"rendered":"<div id=\"cphContent_pnlArticleBody\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"0\">\n<p>A multi-stage malware attack delivered via infected USB devices has been identified, raising concerns over the persistence of cryptomining threats in 2025.<\/p>\n<p>Analysts from CyberProof\u2019s Managed Detection and Response (MDR) team discovered that the campaign used DLL search order hijacking and PowerShell to bypass security controls before attempting to install a cryptominer.<\/p>\n<p>The malware was linked to earlier Zephyr (XMRig) activity and was ultimately blocked during the final stage by endpoint detection and response (EDR) tools.<\/p>\n<p>The attack begins with a Visual Basic script concealed on USB drives. Once executed, the script initiates a chain of processes, including xcopy.exe, to move files into the Windows System32 directory. These files then enable the side-loading of a malicious DLL designed to download the cryptominer.<\/p>\n<p>CyberProof noted that the tactics closely resemble an international cryptocurrency mining scheme exposed by Azerbaijan\u2019s CERT in October 2024, known as \u201cUniversal Mining.\u201d<\/p>\n<p>The security firm\u2019s research traced the spread of the campaign through multiple intelligence sources and telemetry. Infections have been observed in the US, several European nations, Egypt, India, Kenya, Indonesia, Thailand, Vietnam, Malaysia and Australia.<\/p>\n<p>The wide geographical footprint highlights how removable media continue to be a persistent vector for malware distribution across both developed and developing regions.<\/p>\n<p><em>Read more on global cybercrime trends: Rethinking Resilience for the Age of AI-Driven Cybercrime\u00a0<\/em><\/p>\n<p>\u201cThe continued prevalence of cryptomining attacks originating from infected USB drives, even in mid-2025, serves as a powerful reminder of a fundamental security challenge,\u201d CyberProof said.<\/p>\n<p>To reduce exposure, the\u00a0report advises organizations to:<\/p>\n<ul>\n<li>\n<p>Disable autorun and autoplay features on all systems<\/p>\n<\/li>\n<li>\n<p>Implement device control policies to block unsigned executables from USBs<\/p>\n<\/li>\n<li>\n<p>Harden endpoint security with EDR solutions capable of detecting obfuscated scripts<\/p>\n<\/li>\n<li>\n<p>Protect key system processes such as lsass.exe from credential theft attempts<\/p>\n<\/li>\n<li>\n<p>Enforce physical security measures, including restricting or locking USB ports<\/p>\n<\/li>\n<\/ul>\n<p>CyberProof concluded that organizations lacking strict USB policies remain vulnerable not only to cryptominer infections, but also to insider threats that can escalate into more damaging breaches.<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>A multi-stage malware attack delivered via infected USB devices has been identified, raising concerns over the persistence of cryptomining threats in 2025. Analysts from CyberProof\u2019s Managed Detection and Response (MDR) team discovered that the campaign used DLL search order hijacking and PowerShell to bypass security controls before attempting to install a cryptominer. The malware was<\/p>\n","protected":false},"author":2,"featured_media":2359,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2358","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2358-67131e23-954e-46a3-9a10-7ca8373dbfd8.jpg",300,300,false],"thumbnail":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2358-67131e23-954e-46a3-9a10-7ca8373dbfd8-150x150.jpg",150,150,true],"medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2358-67131e23-954e-46a3-9a10-7ca8373dbfd8.jpg",300,300,false],"medium_large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2358-67131e23-954e-46a3-9a10-7ca8373dbfd8.jpg",300,300,false],"large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2358-67131e23-954e-46a3-9a10-7ca8373dbfd8.jpg",300,300,false],"1536x1536":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2358-67131e23-954e-46a3-9a10-7ca8373dbfd8.jpg",300,300,false],"2048x2048":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2358-67131e23-954e-46a3-9a10-7ca8373dbfd8.jpg",300,300,false],"morenews-featured":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2358-67131e23-954e-46a3-9a10-7ca8373dbfd8.jpg",300,300,false],"morenews-large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2358-67131e23-954e-46a3-9a10-7ca8373dbfd8.jpg",300,300,false],"morenews-medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2358-67131e23-954e-46a3-9a10-7ca8373dbfd8.jpg",300,300,false],"crawlomatic_preview_image":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2358-67131e23-954e-46a3-9a10-7ca8373dbfd8-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"http:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"<a href=\"http:\/\/ft365.org\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/2358","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=2358"}],"version-history":[{"count":0,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/2358\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/2359"}],"wp:attachment":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=2358"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=2358"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=2358"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}