Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years

What Happened

Cybercriminals are infecting people who visit pirated movie, TV show, and book websites by tricking them into downloading a fake video player update. Once downloaded, the malware secretly installs a cryptocurrency miner and a remote access tool, allowing the attackers to steal computer resources and potentially control the device. This matters because the malware is highly evasive, actively disables security tools, and ensures it stays running even if parts of it are deleted. Users should avoid downloading software or updates from illegal streaming sites and ensure their antivirus software is active and up to date.

Key Takeaways

• Threat actors are distributing a modified SilentCryptoMiner and RAT via fake video player updates on pirated content sites.
• The infection chain relies on DLL side-loading triggered by a legitimate executable within a downloaded ZIP archive.
• The malware uses DNS tunneling to exfiltrate system information and verify execution environments before fully deploying.
• Persistence is achieved via a fake Google Update service (GoogleUpdateTaskMachineQC) or Run registry keys, protected by an in-memory Watchdog component.
• The RAT and miner components use a Domain Generation Algorithm (DGA) for C2 communication and configuration retrieval.

Affected Systems

• Windows

Attack Chain

The attack begins when a user downloads a ZIP archive disguised as a video player plugin update from a pirated content site. Extracting and running the legitimate executable inside triggers DLL side-loading of a malicious payload, which uses a stack overflow to decrypt and reflectively load the main module. The module performs environment checks via DNS tunneling, escalates privileges via UAC prompts if necessary, and establishes persistence using a fake Google Update service or Run registry keys. Finally, it injects a RAT agent, a Watchdog component, and CPU/GPU miners into legitimate processes like explorer.exe and conhost.exe.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article does not provide specific detection rules, but lists generic Kaspersky AV verdicts.

Detection Engineering Assessment

EDR Visibility: High — Process injection into explorer.exe and conhost.exe, creation of a fake Google Update service, and repeated UAC prompt loops are highly visible behaviors to modern EDR solutions. Network Visibility: Medium — DNS tunneling and DGA traffic can be spotted via network telemetry, but the payload contents are AES encrypted. Detection Difficulty: Moderate — While the DGA and DNS tunneling add complexity, the host-based behaviors (dropping files to C:\ProgramData\Google\Chrome and creating the GoogleUpdateTaskMachineQC service) are distinct and relatively easy to alert on.

Required Log Sources

• Sysmon Event ID 1 (Process Creation)
• Sysmon Event ID 3 (Network Connection)
• Sysmon Event ID 8 (CreateRemoteThread)
• Sysmon Event ID 11 (File Create)
• Sysmon Event ID 12 (Registry Event)
• Sysmon Event ID 13 (Registry Event)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for powercfg.exe executions disabling hibernation and standby timeouts in rapid succession.	Process Creation (Event ID 1)	Defense Evasion	Low
Hunt for the creation of a service named GoogleUpdateTaskMachineQC pointing to an executable in C:\ProgramData\Google\Chrome.	System/Service Creation Logs	Persistence	Low
Monitor for excessive UAC prompt triggers from processes running out of %USERPROFILE%\AppData\Roaming\Sandboxie.	Process Creation (Event ID 1)	Privilege Escalation	Low
Investigate DNS queries to subdomains of microsoft.com containing long hex strings, indicating potential DNS tunneling.	DNS Query Logs	Command and Control	Medium
Look for explorer.exe or conhost.exe making unexpected outbound network connections to unknown domains.	Network Connections (Event ID 3)	Command and Control	Medium

Control Gaps

• Lack of DNS filtering for anomalous subdomains
• Standard users able to click through repeated UAC prompts

Key Behavioral Indicators

• Service named GoogleUpdateTaskMachineQC
• Registry value DontOfferThroughWUAU set to 1 in HKLM\Software\Policies\Microsoft\MRT
• Files dropped in C:\ProgramData\Google\Chrome that are not legitimate Google binaries

False Positive Assessment

• Low - The specific combination of the GoogleUpdateTaskMachineQC service, DGA domains, and DNS tunneling format is highly indicative of this specific malware campaign.

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Search for and isolate endpoints communicating with the identified DGA domains or the IP 107.172.212.235.
• Check for the presence of the GoogleUpdateTaskMachineQC service and remove it if found.

Infrastructure Hardening

• Consider implementing DNS filtering to block newly registered domains and anomalous DNS queries indicative of tunneling.
• Evaluate restricting execution from user profile directories like AppData\Roaming\Sandboxie.

User Protection

• If applicable, configure UAC to deny elevation requests for standard users automatically rather than prompting.
• Ensure endpoint protection platforms are configured to block DLL side-loading attempts where possible.

Security Awareness

• Educate users on the risks of downloading software updates from untrusted or pirated media websites.
• Train employees to recognize and report unexpected or repeated UAC prompts.

MITRE ATT&CK Mapping

• T1574.002 - Hijack Execution Flow: DLL Side-Loading
• T1071.004 - Application Layer Protocol: DNS
• T1543.003 - Create or Modify System Process: Windows Service
• T1562.001 - Impair Defenses: Disable or Modify Tools
• T1055.012 - Process Injection: Process Hollowing
• T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
• T1489 - Service Stop
• T1568.002 - Dynamic Resolution: Domain Generation Algorithms

Additional IOCs

• Domains:
  • r7mvjl67[.]space - RAT C2 domain (August-November 2025)
  • zgj1tam9[.]space - RAT C2 domain (December 2025)
  • qdmagva5[.]space - RAT C2 domain (April-July 2026)
  • kristina[.]quest - UnamWebPanel control panel address
  • file[.]ipfs[.]us[.]69[.]mu - Historical malicious archive download domain
• File Hashes:
  • 7F624407AE489324E96A708A09C17E6F (md5) - Malicious DLL library
  • 02A43B3423367B9DDDC24CC7DFC070DF (md5) - Malicious DLL library
• Registry Keys:
  • HKLM\Software\Policies\Microsoft\MRT - Registry key modified to prevent MSRT from being automatically installed (DontOfferThroughWUAU=1)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run - Run key used for persistence when running with standard privileges
• File Paths:
  • C:\ProgramData\Google\Chrome - Directory used to store copies of the malware for the fake Google Update service
  • %USERPROFILE%\AppData\Roaming\Sandboxie - Directory used to store copies of the malware when running with standard privileges
• Command Lines:
  • Purpose: Disables system hibernation and sleep modes to maximize the miner's runtime. | Tools: powercfg.exe | Stage: Defense Evasion | powercfg /x -hibernate-timeout-ac 0
• Other:
  • GoogleUpdateTaskMachineQC - Fake service name registered for persistence