XMRig Malware Disables Windows Updates and Scheduled Tasks to Maintain Persistence

Monero (XMR), a cryptocurrency, saw a spectacular surge in early 2025, rising 45% from $196 to $285 by May, with a notable peak in April.

This surge coincided with a high-profile Bitcoin theft in the US, where the stolen assets were reportedly converted into Monero by a single individual, drawing attention to the privacy-focused coin.

Amidst this financial uptick, the legitimate Monero mining tool XMRig received substantial optimization updates in April, potentially attracting both legitimate users and threat actors to exploit its capabilities.

Rise of a Cryptomining Threat

However, a new wave of malicious XMRig variants has emerged, showcasing sophisticated attack chains and targeting a broader range of countries, including Russia, Belgium, Greece, and China, unlike the 2023 versions which primarily impacted Russia, Azerbaijan, and Uzbekistan.

This evolution of the XMRig threat leverages a multi-staged approach, employing Living Off the Land Binaries and Scripts (LOLBAS) techniques to execute payloads, evade detection, and establish persistence using pre-installed Windows tools like PowerShell.

The latest XMRig malware campaign begins with an unknown initial infection vector, but its malicious behavior is triggered when svchost.exe spawns a cmd process to execute a batch file, dubbed 1.cmd.

According to the Report, this script checks for a marker file (check.txt) in the %APPDATA%Temp directory to avoid re-infection, then modifies Windows Defender registry settings to exclude the C: path from scans.

It downloads a second script, S2.bat, from the suspicious domain notif[.]su, a newly registered site with minimal antivirus detection at the time of discovery, and executes it hidden from the user via PowerShell.

S2.bat further solidifies its foothold by disabling critical Windows services like Wuauserv (Windows Update Service), BITS, and TrustedInstaller, alongside update-related scheduled tasks to prevent system patches that could remove the malware.

A Multi-Staged Attack Chain

It then downloads a malicious XMRig miner (miner.exe) from notif[.]su, which installs itself with persistence mechanisms including a registry entry under HKCUSOFTWAREMicrosoftWindowsCurrentVersionRunDJKONTAH and drops a legitimate WinRing0 driver for privilege escalation.

Notably, the scripts lack obfuscation, featuring plain-text comments that suggest creation by large language models (LLMs) or inexperienced “script kiddies,” yet their simplicity proved effective with low detection rates on platforms like VirusTotal during initial discovery.

Open-source intelligence indicates the domain notif[.]su was taken down weeks after updates to the malware files ceased in mid-April 2025.

This XMRig variant demonstrates how even basic malware with unobfuscated behaviors can bypass defenses through LOLBAS tactics.

Solutions like G DATA’s Extended Detection and Response (XDR) can detect such activities based on behavioral analysis, offering critical protection.

Users should remain vigilant for signs of infection, such as suspicious network traffic to domains like notif[.]su or unexpected files in system directories.

Indicators of Compromise (IOCs)

Stay Updated on Daily Cybersecurity News. Follow us on Google News, LinkedIn, and X.