Malicious Video Plugin Updates Deliver Cryptominers via Pirated Streaming Sites
What Happened – A cyber‑crime gang has been distributing a cryptomining payload through fake “video player plugin” updates on illegal movie and TV‑show streaming portals. The update delivers a ZIP archive containing a legitimate installer and a malicious DLL that side‑loads into a trusted process, installs persistence, and mines cryptocurrency on the victim’s machine.
Why It Matters for TPRM –
- Third‑party content platforms can become unwitting distribution points for malware, exposing your employees and customers to performance degradation and potential ransomware escalation.
- The campaign has been active since at least 2022 and continuously evolves its delivery infrastructure, indicating a persistent threat that may target any organization that accesses pirated media.
- Side‑loading techniques bypass traditional signature‑based defenses, requiring deeper endpoint monitoring and supply‑chain vetting of software updates.
Who Is Affected – Media & entertainment sites (including illegal streaming services), end‑user devices across all industries, and any organization that permits employee access to unverified streaming content.
Recommended Actions –
- Block access to known pirated streaming domains (.ru, .top, and similar).
- Enforce strict application control policies that prevent unsigned DLL loading and side‑loading of executables.
- Deploy endpoint detection and response (EDR) solutions capable of detecting cryptomining behavior.
- Conduct vendor risk assessments on any third‑party content delivery networks or ad‑tech partners.
Technical Notes – The infection chain uses a fake update prompt (phishing‑style) that drops a ZIP archive. Inside, HLS Installer.874.exe launches a malicious DLL via side‑loading, establishing persistence and launching a CPU‑intensive miner. The campaign’s infrastructure has shifted from an IPFS‑based domain to urush1bar4.online. No CVEs are directly exploited; the attack relies on user interaction and trusted‑process hijacking. Source: SecureList – Kaspersky