# Malware Alert: SilentCryptoMiner Infects Users with Fake VPN

## Detailes

A new large-scale malware campaign is infecting users with a coin mining malware called **SilentCryptoMiner**, disguised as a VPN tool. Russian cybersecurity company **Kaspersky** reports that this activity is part of a growing trend where cybercriminals exploit **Windows Packet Divert (WPD)** tools to spread malware under the guise of programs that bypass internet restrictions.

Researchers **Leonid Bezvershenko, Dmitry Pikush, and Oleg Kupreev** stated: "Such software is often distributed as compressed files with installation instructions in text form, where the developer recommends disabling security solutions to avoid false alarms. This allows attackers to operate in unprotected systems without fear of detection."

This tactic has been used in schemes to distribute **data stealers**, **remote access tools (RATs)**, **trojans providing hidden access**, and **cryptocurrency miners** like **NJRat, XWorm, Phemedrone, and DCRat**.

### The Latest Campaign and Sophisticated Tactics

Recently, a campaign has infected over **2,000 Russian users** with a coin mining malware disguised as a tool to bypass Deep Packet Inspection (**DPI**). This program is promoted through a link leading to a malicious compressed file, appearing on a YouTube channel with **60,000 subscribers**.

![SilentCryptoMiner Malware](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAFLIHuu5L89SQvpjy8TYfrZiVguXiliTvKk-IoOmkTtrmBnpL1XWRKPc5o8l_4LBW5yT-zFhnORazgDN-UPY8crc6H90Ois7bvyZCSXP0Ub0DxoQHRPZIaqsDstaPHWRtEzcddy9QghgiIJKNEvX2cHypzSQcgFmknso5TfvHFA9tk4rhAVLAkYyXo11D/s728-rw-e365/SilentCryptoMiner_02.png align="left")

In November 2024, attackers upgraded their tactics by impersonating legitimate tool developers. They sent **fake copyright violation notices** to YouTube and Telegram channel owners, threatening to shut down their channels unless they posted videos with malicious links. By December 2024, users reported that the malware-infected version of this tool had spread through other Telegram and YouTube channels, although these channels were later closed.

### How SilentCryptoMiner Works

The malicious compressed files include an extra **executable** file, with one of the legitimate scripts modified to run the binary through **PowerShell**. If antivirus software on the system detects and deletes the malicious file, users receive an error message urging them to download and run the file again after disabling security.

This executable is a Python-based **loader** designed to fetch the next stage of malware—a different Python script—that downloads **SilentCryptoMiner** and sets up long-term persistence. Before running, it checks if it's operating in a **sandbox** environment and sets exceptions for **Windows Defender**.

This miner, based on the open-source **XMRig**, adds random data blocks to increase the file size to **690 MB**, making it harder for antivirus software and sandboxes to automatically analyze it. Kaspersky states: "To hide itself, SilentCryptoMiner uses the **process hollowing** technique to inject mining code into a system process (in this case, **dwm.exe**). The malware can pause mining when processes specified in the configuration are active and is remotely controlled via a web panel."

### Future Attack Trends and Risks for Vietnamese Organizations

SilentCryptoMiner is not just a threat in Russia but also has the potential to spread to other countries, including **Vietnam**, where users increasingly rely on VPN tools to bypass internet access restrictions. With the growth of platforms like YouTube, Telegram, and TikTok in Vietnam, cybercriminals can easily exploit popular social media channels to distribute similar malware.

In the future, attacks may target Vietnamese users by **disguising malware as free tools** like VPNs, network accelerators, or firewall bypass software. Especially with the increasing trend of cryptocurrency use in Vietnam, hidden miners like SilentCryptoMiner can secretly exploit users' computer resources without detection. Attackers might also take advantage of some users' lack of cybersecurity knowledge, encouraging them to disable security software, thereby expanding the scale of infection.

To protect themselves, Vietnamese users should **verify the source of software** before downloading, avoid clicking on links from untrustworthy channels, and keep security solutions like antivirus software updated. Authorities should also enhance monitoring and raise public awareness about sophisticated cyber threats like these as digitalization becomes more widespread.

## IOCs

**MD5 Hash**

`574ed9859fcdcc060e912cb2a8d1142c`

`91b7cfd1f9f08c24e17d730233b80d5f`

`9808b8430667f896bcc0cb132057a683`

`0c380d648c0c4b65ff66269e331a0f00`

`1f52ec40d3120014bb9c6858e3ba907f`

`a14794984c8f8ab03b21890ecd7b89cb`

`a2a9eeb3113a3e6958836e8226a8f78f`

`5c5c617b53f388176173768ae19952e8`

`ac5cb1c0be04e68c7aee9a4348b37195`

**C&C**

`hxxp://gitrok[.]com`

`hxxp://swapme[.]fun`

`hxxp://canvas[.]pet`

`hxxp://9x9o[.]com`

`193.233.203[.]138`

`150.241.93[.]90`

## Recommendations

FPT Threat Intelligence recommends several measures to prevent SilentCryptoMiner and similar threats for organizations in Vietnam:

* Before downloading any tools, especially free VPNs or firewall bypass software, verify the origin of the file from official websites or reputable providers. Avoid downloading software from unclear links on social media, forums, or unreliable YouTube/Telegram channels.
    
* Organizations should implement enterprise-level security solutions like **Endpoint Detection and Response (EDR)** to detect and block abnormal activities such as process hollowing or resource exploitation.
    
* Train employees on cybersecurity, especially on recognizing phishing emails, malicious compressed files, and tactics that force disabling security.
    
* Establish a policy prohibiting the installation of unapproved software on company devices.
    

## References

[SilentCryptoMiner Infects 2,000 Russian Users via Fake VPN and DPI Bypass Tools](https://thehackernews.com/2025/03/silentcryptominer-infects-2000-russian.html)

[Undercover miner: how YouTubers get pressed into distributing SilentCryptoMiner as a restriction bypass tool](https://securelist.com/silentcryptominer-spreads-through-blackmail-on-youtube/115788/)
