A big-scale malware marketing campaign dubbed “StaryDobry” has been focusing on players worldwide with trojanized variations of cracked video games equivalent to Garry’s Mod, BeamNG.drive, and Dyson Sphere Program.
These titles are top-rated video games with tons of of 1000’s of ‘overwhelmingly optimistic’ critiques on Steam, making them good targets for malicious exercise.
It is price noting {that a} laced Beamng mod was reportedly used because the preliminary entry vector for a hack at Disney in June 2024.
In keeping with Kaspersky, the StaryDobry marketing campaign began in late December 2024 and ended on January 27, 2025. It largely impacted customers from Germany, Russia, Brazil, Belarus, and Kazakhstan.
The risk actors uploaded contaminated recreation installers onto torrent websites in September 2024, months prematurely, and triggered the payloads inside the video games in the course of the holidays, making detection much less doubtless.
.jpg)
Supply: Kaspersky
StaryDobry an infection chain
The StaryDobry marketing campaign used a multi-stage an infection chain culminating with an XMRig cryptominer an infection.
Customers downloaded the trojanized recreation installers from torrent websites, which appeared regular, together with the precise recreation they have been promised, plus malicious code.
Supply: Kaspersky
In the course of the recreation’s set up, the malware dropper (unrar.dll) is unpacked and launched within the background, and it checks if it is working on a digital machine, sandbox, or debugger earlier than continuing.
The malware demonstrates extremely evasive conduct, terminating instantly if it detects any safety instruments, probably to keep away from harming the torrent’s popularity.
Supply: Kaspersky
Subsequent, the malware registers itself utilizing ‘regsvr32.exe’ for persistence and collects detailed system data, together with OS model, nation, CPU, RAM, and GPU particulars, and sends it to the command and management (C2) server at pinokino[.]enjoyable.
Finally, the dropper decrypts and installs the malware loader (MTX64.exe) in a system listing.
The loader poses as a Home windows system file, engages in useful resource spoofing to seem reputable, and creates a scheduled job to persist between reboots. If the host machine has a minimum of eight CPU cores, it downloads and runs an XMRig miner.
The XMRig miner utilized in StaryDobry is a modified model of the Monero miner that constructs its configuration internally earlier than execution and doesn’t entry arguments.
The miner maintains a separate thread always, monitoring for safety instruments working on the contaminated machine, and if any course of monitoring instruments are detected, it shuts itself down.
The XMRig utilized in these assaults connects to non-public mining servers as an alternative of public swimming pools, making the proceeds tougher to hint.
Kaspersky has not been capable of attribute the assaults to any recognized risk teams however notes that it doubtless originates from a Russian-speaking actor.
“StaryDobry tends to be a one-shot marketing campaign. To ship the miner implant, the actors carried out a classy execution chain that exploited customers searching for free video games,” concluded Kaspersky.
“This method helped the risk actors take advantage of out of the miner implant by focusing on highly effective gaming machines able to sustaining mining exercise.”