📅 Sep 5, 2025 ✍️ Cybernoz 📁 GBHackers 💬 0 ⏱️ 4 min

New Malware Exploits Windows Character Map to Evade Defender and Mine Crypto

New Malware Exploits Windows Character Map to Evade Defender and Mine Crypto

A sophisticated cryptojacking campaign that hijacks Windows’ native Character Map utility (“charmap.exe”) to evade Windows Defender and covertly mine cryptocurrency on compromised machines.

First detected in late August 2025, this attack exploits legitimate system binaries to load a custom cryptomining payload directly into memory, thwarting traditional antivirus signatures and curtailing forensic artifacts.

Security researchers have uncovered a Cryptojacking involves the unauthorized use of a computer’s processing power to mine cryptocurrencies without the owner’s consent.

Attackers deploy cryptomining malware or scripts that consume CPU or GPU cycles, increasing energy costs and degrading system performance for victims, while generating illicit profits for operators.

Unlike ransomware—where attackers demand direct payment—cryptojacking quietly siphons resources over extended periods, making detection more difficult and remediation slower.

Darktrace detected and contained an attempted cryptojacking incident on the network of a customer in the retail and e-commerce industry.

Darktrace’s detection of a device making an HTTP connection with new PowerShell user agent.

The newly discovered strain begins with a spear‐phishing email containing a malicious shortcut file disguised as a PDF attachment.

When executed, the shortcut invokes the Windows PowerShell console to fetch an obfuscated dropper hosted on a remote server. This dropper writes two payload components into the user’s AppData folder:

  1. AutoIt Loader: A small executable that decodes and injects the cryptominer into a running instance of charmap.exe, Windows’ built-in Character Map tool.
  2. Mining Binary: A 64-bit custom cryptominer configured to connect to a remote mining pool over TCP port 3838.

By leveraging charmap.exe, the malware avoids launching an unknown process on disk, effectively slipping past Windows Defender behavior-based detection rules.

The IP address and destination port combination (152.53.121[.]6:10001) has also been linked to cryptomining activity by several OSINT security vendors.

Darktrace’s detection of a device establishing connections with the Monero Mining-associated endpoint.
Darktrace’s detection of a device establishing connections with the Monero Mining-associated endpoint.

Once injection is complete, the legitimate Character Map process continues its normal UI function, masking the malicious thread running the miner.

Evasion and Persistence

Darktrace’s Cyber AI Analyst launched an autonomous investigation into the ongoing activity and was able to link the individual events of the attack, encompassing the initial connections involving the PowerShell script to the ultimate connections to the cryptomining endpoint.

Rather than viewing these seemingly separate events in isolation, Cyber AI Analyst was able to see the bigger picture, providing comprehensive visibility over the attack.

Darktrace’s Cyber AI Analyst view illustrating the extent of the cryptojacking attack mapped against the Cyber Kill Chain.
Darktrace’s Cyber AI Analyst view illustrating the extent of the cryptojacking attack mapped against the Cyber Kill Chain.

To maintain persistence, the campaign creates a scheduled task named “WindowsCharMapUpdater” that relaunches the loader at user logon.

It also drops a DLL into the local application data directory and subverts the legitimate werfault.exe process through DLL side-loading, ensuring the miner automatically restarts even after system reboots or process termination.

Victims range from small businesses to enterprise environments, with the highest infection rates reported in the healthcare and education sectors.

Infected machines exhibit high CPU and GPU utilization—often exceeding 80 percent—which leads to slowdowns, overheating, and elevated power consumption.

As cryptocurrency valuations remain high, attackers view cryptojacking as a low-risk, high-reward endeavor. By subverting trusted Windows utilities like Character Map, they can stealthily maintain mining operations for months.

For large organizations, the energy cost increase can amount to thousands of dollars per month, in addition to the operational disruption caused by degraded workstation performance.

Mitigations

Traditional signature-based antivirus tools struggle to detect fileless injection techniques, emphasizing the need for anomaly-based defenses.

Across more than 130 connection attempts, Darktrace’s SOC confirmed that all were aborted, meaning no connections were successfully established.

Advanced Search logs showing all attempted connections that were successfully prevented by Darktrace’s Autonomous Response capability.
Advanced Search logs showing all attempted connections that were successfully prevented by Darktrace’s Autonomous Response capability.

Security teams are advised to monitor for unusual PowerShell command-line arguments, rare parent-child process relationships involving character map, and outbound connections to known mining pool domains.

Implementing application-allowlisting for critical system binaries and enforcing strict execution policies for PowerShell scripts can help thwart similar attacks.

Organizations must continuously update detection capabilities to identify subtle deviations from normal system behavior.

Combined with comprehensive endpoint monitoring and threat-intelligence sharing, these measures can help security teams stay ahead of evolving cryptojacking threats and safeguard critical infrastructure against unauthorized mining activity.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.


Source link

About Cybernoz

Security researcher and threat analyst with expertise in malware analysis and incident response.