Picture this: your office PC has been sluggish for weeks. Fans are spinning louder than usual. Your electricity bill crept up last month. You assume it's time for an upgrade — maybe the machine is just getting old. But what if someone halfway around the world had secretly turned your computer into their personal gold mine, running 24/7, and pocketing every cent?
That's exactly what a piece of malware called CoinMiner does. And a fresh sample spotted in early April 2025 shows this scheme is alive, well, and evolving.
Cryptocurrency — like Bitcoin or Monero — is created through a process called "mining." Mining is basically asking a computer to solve extremely hard math problems. Whoever solves them first gets rewarded with digital coins. The catch? Mining eats enormous amounts of computing power and electricity.
So criminals skip buying their own hardware. Instead, they infect your computer with software that mines cryptocurrency in the background, sends the profits to their wallet, and leaves you with a slower machine and a higher power bill.
The specific mining tool hidden inside this malware is called XMRig — a well-known open-source program designed to mine Monero, a privacy-focused cryptocurrency that's very hard to trace. XMRig itself isn't evil (people use it legitimately), but when someone installs it on your machine without your knowledge, it absolutely is.
This is where the story gets more interesting. The CoinMiner sample ThreatChain flagged (SHA-256: c26af9d1c5e0...691f) didn't arrive alone. It was delivered by a botnet called Phorpiex.
Think of Phorpiex as a delivery truck for malware. It's a worm — a type of malware that spreads itself automatically, jumping from computer to computer through things like infected USB drives, spam emails, and network shares. Phorpiex has been around for over a decade, and at its peak it controlled hundreds of thousands of infected machines worldwide.
Here's the chain of events:
It's like someone breaking into your house, not to steal your TV, but to plug in their own appliances and run them off your electricity — indefinitely.
This particular sample is tiny — just 10 KB — which is suspiciously small for a full mining operation. That tells us it's likely a loader or dropper: a small program whose only job is to fetch the real payload (XMRig) from the internet and set it up.
Security researchers found two clever tricks baked into this file:
Anti-debugging checks: The malware looks for signs that a security researcher is watching. Imagine a burglar who peeks through the window before breaking in — if they see a security camera, they walk away. The malware does something similar: it calls specific Windows functions to detect if it's running inside a debugger (a tool analysts use to study software line by line). If it thinks someone's watching, it can change its behavior or shut down entirely.
Vulnerable driver abuse: The analysis flagged a component called WinRing0.sys — a legitimate but outdated system driver with known security weaknesses. The malware loads this driver to gain deeper access to your hardware. Think of it as the malware borrowing a master key that building maintenance left in an unlocked drawer. With that access, XMRig can directly control your CPU at a low level, squeezing out maximum mining performance.
Honestly? Anyone running Windows. This is a 32-bit Windows executable, which means it runs on virtually every Windows PC out there — old and new. But some people are especially vulnerable:
The impact isn't just "my computer is slow." Constant, maxed-out CPU usage can:
Nearly half of all antivirus engines on VirusTotal (35 out of 76) flagged this file as malicious. That's a solid detection rate, which means most up-to-date antivirus tools should catch it. Multiple respected security platforms — ANY.RUN, VMRay, Kaspersky, FileScan — all independently confirmed it as malicious and linked it to XMRig and Phorpiex.
| Detail | Value |
|---|---|
| File hash (SHA-256) | c26af9d1c5e023ded48bc29ef612f58fb21f7a709ca4a6a03fb38b3c7c67691f |
| Known file names | bdjwpykn4.exe |
| File type | Win32 EXE (PE32, 32-bit) |
| Size | 10,240 bytes (10 KB) |
| Malware family | CoinMiner / XMRig |
| Delivery method | Dropped by Phorpiex botnet |
| First observed | April 5, 2025 |
| VirusTotal detection | 35 of 76 engines |
| Threat label | worm.phorpiex/misc |
You don't need a security operations center to protect yourself. Here are five concrete steps:
1. Keep Windows and your antivirus updated. This sounds boring because it is boring, but it's the single most effective thing you can do. Most current antivirus products already detect this sample. Make sure automatic updates are turned on — for both Windows itself and your security software.
2. Watch your CPU usage. Open Task Manager (Ctrl + Shift + Esc on Windows). If your CPU is running at 80–100% while you're not doing anything demanding, investigate. Look for unfamiliar process names. Coin miners are hungry — they're hard to hide from someone who's actually looking.
3. Don't open unexpected email attachments. Phorpiex spreads heavily through spam. If you get an email with an attachment you weren't expecting — even if it looks like it's from someone you know — don't open it. Call or message the person to verify first.
4. Block or monitor unknown drivers loading on your system. If you manage computers for a business, consider enabling Windows Defender Application Control or similar policies that prevent unsigned or known-vulnerable drivers (like WinRing0.sys) from loading. This cuts off one of the malware's key escalation tricks.
5. Scan for Phorpiex, not just the miner. If you find XMRig on a machine, the miner is just the symptom. The disease is the Phorpiex worm that put it there. Run a full system scan with a reputable tool (Malwarebytes, Windows Defender Offline, or your enterprise solution) and check other machines on the same network. Phorpiex spreads laterally — if one computer is infected, its neighbors might be too.
Coin-mining malware doesn't make headlines the way ransomware does. There's no dramatic ransom note, no locked screen. That's exactly what makes it dangerous — it's designed to be invisible, slowly siphoning value from your machine while you blame Windows for being Windows.
The good news: it's very detectable, and very preventable. You just have to know it exists.
Now you do.
This sample is available as a password-protected ZIP (password: infected) for security researchers.
ThreatChain indexes 2.6M+ threat indicators updated hourly. Search any hash, domain, wallet, or IP — free.
Search ThreatChain Now