Home > Security > Security News

Advanced Cryptojacking Campaign Uses Obfuscated AutoIt Loader to Deliver NBMiner 

Published
Written by:
Lore Apostol
Lore Apostol
Cybersecurity Writer
Monitor - Mining Chart - Coins - Character Map

A sophisticated cryptocurrency mining campaign has revealed the first documented use of an obfuscated AutoIt loader, specifically engineered to deliver the NBMiner cryptominer through legitimate Windows system processes. This demonstrates advanced evasion techniques that bypass conventional antivirus detection mechanisms.

Attack Vector and Technical Implementation

Darktrace cryptojacking research has uncovered a campaign that leverages multi-stage PowerShell scripts to inject the NBMiner cryptominer into the legitimate Windows Character Map process (charmap.exe).

Security analysts documented the threat actors' systematic exploitation of a documented Windows privilege escalation vulnerability, enabling unauthorized system access without triggering traditional security monitoring systems.

The cryptojacking chain relied heavily on fileless techniques, including in-memory injection into charmap.exe, but also created persistence artifacts (registry keys, DLL sideloading, startup shortcuts).

The NBMiner cryptominer deployment strategy demonstrates a sophisticated understanding of Windows process architecture, allowing malicious operations to masquerade as legitimate system activities, as they deliberately blend mining operations with normal system behavior.

Detection Challenges and Security Implications

The campaign's sophistication presents unprecedented challenges for cryptojacking detection capabilities across enterprise environments. 

Darktrace's behavioral analysis platform successfully identified anomalous network patterns during the July 2025 incident affecting a retail and e-commerce organization. The detection occurred during initial malware deployment phases, preventing full cryptocurrency mining operation establishment and potential system compromise.

Expert Comments from Darktrace

Retailers are advised to use a layered approach from a variety of solutions: “Network Detection and Response (NDR) for network traffic analysis, Endpoint Detection and Response (EDR) for real-time endpoint monitoring, and possibly a Security Information and Event Management (SIEM) systems for data correlation,” Nathaniel Jones, Vice President, Security & AI Strategy and Field CISO at Darktrace told TechNadu.

Jones said they monitor network patterns, process behaviour, and aggregate security events across the environment to effectively detect cryptojacking activities concealed within legitimate Windows processes.

Miners can be prevented from abusing PowerShell and privilege via least privilege principles, regular patching, application allowlisting, and comprehensive endpoint protection, he added.

He added that cryptojacking incidents are handled quickly, thoroughly, and responsibly following these steps:

Further Industry Recommendations

Cryptojacking incidents continue escalating due to threat actors' ability to scale operations across multiple network infrastructures simultaneously.

Organizations should treat modern cryptojacking as an intrusion signal, not a harmless nuisance,” said Jason Soroko, Senior Fellow at Sectigo. “Security teams should enable and actually review high-fidelity telemetry that surfaces these behaviors.”

It’s important to keep an eye out for strange activity like system slowdowns or spikes in resource use, since that’s often the first visible sign,” said J Stephen Kowski, Field CTO at SlashNext Email Security+. “Automated detection that watches for these patterns around the clock can stop these attacks early.”

If your endpoint can be cryptojacked, then credentials, secrets, and sessions on that endpoint could also be jacked,” said James Maude, Field CTO at BeyondTrust, adding that this attack chain combines scripts with legitimate native tools and signed third-party binaries from trusted vendors. 

This hybrid living-off-the-land (LOTL) approach uses legitimate applications alongside some anti-sandboxing evasion techniques, allowing threat actors to effectively evade detection.

Add a Comment
Related
Jaguar Land Rover on Conveyor
Jaguar Land Rover Cyber Incident Forces Global System Shutdown
Singapore Government Building - Gavel - Facebook Logo
Singapore Orders Meta to Implement Facebook Anti-Scam Measures Under New Criminal Harms Act
Server Racks - Cloud - Lock
Palo Alto Networks, Cloudflare Data Breaches Expose Customer Information via Salesforce Compromise 
Employee - Laptop - Hacker
Hackers Threaten Google with Data Breach Unless TIG and Mandiant Employees Are Fired
Weapons - Drones - China
China's Victory Day Parade Will Unveil an Advanced Military Arsenal
Officers - Laptop - Lock - Cyber Attack - Austria Flag - World Map
Austria's Interior Ministry Hit by Sophisticated State-Level Cyberattack Affecting Emails
Most Popular
Jaguar Land Rover on Conveyor
Jaguar Land Rover Cyber Incident Forces Global System Shutdown
Screens - Man - Streaming
Global IPTV Piracy Network Uncovered Across 10,000 IPs, Targeting Netflix, Disney, and HBO Among Others
Singapore Government Building - Gavel - Facebook Logo
Singapore Orders Meta to Implement Facebook Anti-Scam Measures Under New Criminal Harms Act
Server Racks - Cloud - Lock
Palo Alto Networks, Cloudflare Data Breaches Expose Customer Information via Salesforce Compromise 
ExpressVPN Introduces Tiered Pricing With 3 Subscription Plans
ExpressVPN Breaks Tradition With Tiered Pricing: Basic, Advanced, and Pro Plans
IPVanish Adds Free eSIM Data to All VPN Plans
IPVanish Now Bundles Free eSIM Data With VPN Plans – Everything You Need to Know!
Jaguar Land Rover Cyber Incident Forces Global System Shutdown
Global IPTV Piracy Network Uncovered Across 10,000 IPs, Targeting Netflix, Disney, and HBO Among Others
Singapore Orders Meta to Implement Facebook Anti-Scam Measures Under New Criminal Harms Act
Palo Alto Networks, Cloudflare Data Breaches Expose Customer Information via Salesforce Compromise 
ExpressVPN Breaks Tradition With Tiered Pricing: Basic, Advanced, and Pro Plans
IPVanish Now Bundles Free eSIM Data With VPN Plans – Everything You Need to Know!

Most Popular
Jaguar Land Rover on Conveyor
Jaguar Land Rover Cyber Incident Forces Global System Shutdown
Screens - Man - Streaming
Global IPTV Piracy Network Uncovered Across 10,000 IPs, Targeting Netflix, Disney, and HBO Among Others
Singapore Government Building - Gavel - Facebook Logo
Singapore Orders Meta to Implement Facebook Anti-Scam Measures Under New Criminal Harms Act
Server Racks - Cloud - Lock
Palo Alto Networks, Cloudflare Data Breaches Expose Customer Information via Salesforce Compromise 
ExpressVPN Introduces Tiered Pricing With 3 Subscription Plans
ExpressVPN Breaks Tradition With Tiered Pricing: Basic, Advanced, and Pro Plans
IPVanish Adds Free eSIM Data to All VPN Plans
IPVanish Now Bundles Free eSIM Data With VPN Plans – Everything You Need to Know!
Jaguar Land Rover Cyber Incident Forces Global System Shutdown
Global IPTV Piracy Network Uncovered Across 10,000 IPs, Targeting Netflix, Disney, and HBO Among Others
Singapore Orders Meta to Implement Facebook Anti-Scam Measures Under New Criminal Harms Act
Palo Alto Networks, Cloudflare Data Breaches Expose Customer Information via Salesforce Compromise 
ExpressVPN Breaks Tradition With Tiered Pricing: Basic, Advanced, and Pro Plans
IPVanish Now Bundles Free eSIM Data With VPN Plans – Everything You Need to Know!

TechNadu keeps you informed with the latest in cybersecurity, VPNs, and technology. From expert guides to in-depth reviews, we provide the knowledge you need to stay secure and connected in the digital world.

© 2025 TechNadu. All Rights Reserved. TechNadu is a part of Leaprove Media LLP.

Close lightbox
Facebook
Twitter
Linkedin
Reddit
Email
Copy Link
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: