HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Malicious Video Plugin Updates Deliver Cryptominers via Pirated Streaming Sites

A cyber‑crime group is using counterfeit video‑player updates on illegal streaming portals to drop a ZIP archive that side‑loads a malicious DLL, installs persistence, and mines cryptocurrency on victim machines. The campaign, active since 2022, highlights the risk of third‑party content platforms as malware distribution vectors.

LiveThreat™ Intelligence · 📅 May 28, 2026· 📰 securelist.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
4 recommended
📰
Source
securelist.com

Malicious Video Plugin Updates Deliver Cryptominers via Pirated Streaming Sites

What Happened – A cyber‑crime gang has been distributing a cryptomining payload through fake “video player plugin” updates on illegal movie and TV‑show streaming portals. The update delivers a ZIP archive containing a legitimate installer and a malicious DLL that side‑loads into a trusted process, installs persistence, and mines cryptocurrency on the victim’s machine.

Why It Matters for TPRM

  • Third‑party content platforms can become unwitting distribution points for malware, exposing your employees and customers to performance degradation and potential ransomware escalation.
  • The campaign has been active since at least 2022 and continuously evolves its delivery infrastructure, indicating a persistent threat that may target any organization that accesses pirated media.
  • Side‑loading techniques bypass traditional signature‑based defenses, requiring deeper endpoint monitoring and supply‑chain vetting of software updates.

Who Is Affected – Media & entertainment sites (including illegal streaming services), end‑user devices across all industries, and any organization that permits employee access to unverified streaming content.

Recommended Actions

  • Block access to known pirated streaming domains (.ru, .top, and similar).
  • Enforce strict application control policies that prevent unsigned DLL loading and side‑loading of executables.
  • Deploy endpoint detection and response (EDR) solutions capable of detecting cryptomining behavior.
  • Conduct vendor risk assessments on any third‑party content delivery networks or ad‑tech partners.

Technical Notes – The infection chain uses a fake update prompt (phishing‑style) that drops a ZIP archive. Inside, HLS Installer.874.exe launches a malicious DLL via side‑loading, establishing persistence and launching a CPU‑intensive miner. The campaign’s infrastructure has shifted from an IPFS‑based domain to urush1bar4.online. No CVEs are directly exploited; the attack relies on user interaction and trusted‑process hijacking. Source: SecureList – Kaspersky

📰 Original Source
https://securelist.com/video-books-pirates-miners-rat/119943/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Security Awareness

Phishing and social engineering are a people-and-policy problem.

The Verisq AI Trust Operations platform pairs Security Awareness Training with policy adoption tracking, so human-risk controls are documented and audit-ready.

Explore the Verisq AI Trust Operations platform →