Hackers are using a clever trick to get people to install dangerous malware, and most victims have no idea it is happening. By visiting pirated movie and TV show streaming sites, users are met with a fake alert claiming their video player plugin is out of date.
One click on that fake update button kicks off an infection that quietly mines cryptocurrency while handing attackers full control of the machine.
The campaign came to light in late April 2026, when a client reached out for help after discovering a cryptocurrency miner running silently on employee computers.
Investigators traced the source back to illegal streaming platforms, where a fake plugin update prompt tricked users into downloading a malicious ZIP archive.
The archive appeared harmless, containing what looked like a standard installer alongside a hidden malicious library. Analysts at Securelist said in a report shared with Cyber Security News (CSN) that this is not a new operation.
Evidence suggests the same threat actor has been running similar campaigns since at least 2022, steadily updating the delivery method while keeping the core deception intact.
The scale of the problem is significant. The pirated websites tied to this campaign drew a combined total of 40 million visits in April 2026 alone.
The largest streaming platform pulled between 2.1 million and 27.4 million monthly visitors, while even the smallest digital library attracted around 11,000 regular users each month.
This campaign has also expanded beyond streaming sites into online book and movie libraries, showing the attackers are casting a wide net.
Millions of people visit these platforms every month, giving this malware an enormous reach, with users of pirated content remaining the primary targets.
Hackers Use Fake Video Player Updates
When a user visits one of the compromised sites and tries to play a video, a message appears claiming the plugin is outdated and must be updated to continue.
Clicking that prompt downloads a ZIP archive containing a legitimate-looking file called HLS Installer.874.exe alongside a large malicious DLL.
Once the executable runs, the malicious DLL is side-loaded into a legitimate system process, letting it hide under the cover of trusted software.
The library is padded with junk code to slow down analysis, but inside is a function that deliberately triggers a stack overflow to build a chain of instructions that decrypts and loads the real payload into memory.
The malware then transmits the victim’s system details to the attacker’s server using DNS tunneling, disguising the traffic as normal activity by mimicking Microsoft domain names.
Only after receiving a specific approval signal from the server does the malware proceed, showing that attackers carefully filter targets to avoid tripping security test environments.
A Miner, a RAT, and a Persistent Watchdog
The core payload is a modified version of an open-source cryptocurrency miner called SilentCryptoMiner. Once active, it silently uses the victim’s CPU and GPU to mine cryptocurrency without the user noticing.
A separate RAT module also runs in the background, giving attackers remote access to execute commands, run files, and push additional malware at any time.
To stay on the device, the malware registers itself as a fake Google service named GoogleUpdateTaskMachineQC, which launches automatically at every system startup.
A watchdog component running inside Windows Explorer checks every five seconds to confirm the miner is active, restoring it from an encrypted backup if anything is removed.
Security teams must terminate this watchdog inside explorer.exe before any cleanup attempt, or the miner will simply reinstall itself.
Users are advised to avoid pirated streaming and content sites, which remain the main delivery channels for this threat. Teams should watch for unusual DNS traffic, services disguised as Google updaters, and code injecting into explorer.exe or conhost.exe.
Monitoring for unexpected files in C:\ProgramData\Google\Chrome and keeping endpoint protection current are key steps for detecting this infection early.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| URL | urush1bar4[.]online | Malicious archive download URL |
| File Hash (SHA1) | 6A0FE6065D76715FEEBC1526D456DB737F624407 | Malicious DLL library |
| File Hash (SHA256) | AE489324E96A708A09C17E6F02A43B3423367B9DDDC24CC7DFC070DF | Malicious DLL library |
| Domain | 5d14vnfb[.]space | RAT C2 server (April–July 2025) |
| Domain | r7mvjl67[.]space | RAT C2 server (August–November 2025) |
| Domain | zgj1tam9[.]space | RAT C2 server (December 2025) |
| Domain | jeaw520i[.]space | RAT C2 server (January–March 2026) |
| Domain | qdmagva5[.]space | RAT C2 server (April–July 2026) |
| IP Address | 107[.]172[.]212[.]235 | Miner configuration retrieval server |
| Domain | m4yuri[.]online | UnamWebPanel control panel address |
| Domain | kristina[.]quest | UnamWebPanel control panel address |
| File Name | HLS Installer.874.exe | Legitimate executable used for DLL side-loading |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Click Here For The Original Source.
