Cybercriminals continue to exploit USB drives as infection vectors, with recent campaigns delivering sophisticated CoinMiner malware that establishes persistent cryptocurrency-mining operations on compromised workstations.
Security researchers have documented an evolving threat that leverages social engineering and evasion techniques to avoid detection while mining Monero cryptocurrency on infected systems.
In February 2025, AhnLab Security Intelligence Center (ASEC) confirmed in their report “Cases of CoinMiner Being Spread via USB” that CoinMiner malware is being spread via USB in South Korea.
In July 2025, Mandiant also released a report on the same attack series and categorized the malware being installed as DIRTYBULK and CUTFAIL.
While the overall attack method has not changed significantly, the type of malware used in recent attacks is different from that used in previous attacks, revealing a more sophisticated infection chain designed to evade detection and maintain persistence.
CoinMiner Malware
The infected USB presents users with a deceptive file structure. The USB drive displays a “USB Drive.lnk” shortcut file alongside hidden “sysvolume” and “USB Drive” folders.
When users double-click the visible shortcut, it executes VBS malware with a randomly generated six-digit filename beginning with “u” (such as “u566387.vbs”) located in the hidden sysvolume folder.
The VBS malware triggers a BAT script with an identical naming convention that performs two critical functions.
First, it opens the “USB Drive” folder containing the original USB contents, allowing victims to access their files normally and masking the infection.
Second, it creates a folder with a trailing space in the Windows directory (e.g., “C:Windows System32”) and copies the dropper malware “u211553.dat” into it, renaming it as “printui.dll”.
The legitimate Windows “printui.exe” file is then copied to this directory and executed, loading the malicious DLL through DLL side-loading techniques.
The infection chain employs multiple dropper stages to deploy the final payload. The initial printui.dll dropper creates and executes “svcinsty64.exe” in the system directory, which in turn creates “svctrl64.exe” along with a configuration file named “wlogz.dat” in the “%SystemDirectory%wsvcz” folder.
The final dropper stage creates “u826437.dll” and registers it with the Windows DcomLaunch service to establish persistence and ensure execution at system startup.
The malware executed by the DcomLaunch service has been designated as PrintMiner. Upon execution, PrintMiner adds its installation directory to Windows Defender exclusions and modifies power settings to prevent the system from entering sleep mode, ensuring continuous mining operations.
The malware contacts its command and control server at r2.hashpoolpx[.]net to transmit system information including CPU and GPU specifications before downloading additional encrypted payloads, including the XMRig cryptocurrency miner.
The configuration file at “%SystemDirectory%wsvczwlogz.dat” stores critical operational data including the C&C server IP address, mining pool information, and installed malware paths. PrintMiner creates dedicated threads for USB propagation and XMRig execution management.
Evasion and Stealth Techniques
The threat actors implemented sophisticated evasion mechanisms to avoid detection. The XMRig execution thread continuously monitors running processes and only activates the miner when specific applications are not running.
The malware checks for process inspection tools including Process Explorer, TaskMgr, System Informer, and Process Hacker to conceal mining activity when users attempt to investigate system performance.
Additionally, it monitors numerous game client processes, terminating mining operations during gaming sessions to avoid performance degradation that might alert users to the infection.
The XMRig miner is configured with parameters limiting CPU usage to 50 percent and utilizing TLS connections to the mining pool at r2.hashpoolpx[.]net:443, with DNS TTL set to 3600 seconds to reduce network traffic patterns that might trigger security alerts.
This campaign demonstrates that USB-based malware distribution remains a viable attack vector despite advances in endpoint security.
Unlike historical attacks exploiting the autorun.inf feature, modern USB malware relies on social engineering to deceive users into executing malicious shortcuts.
Organizations should implement USB device controls, educate users about USB security risks, and deploy endpoint detection solutions capable of identifying suspicious DLL side-loading and service modification activities.
Regular monitoring for unauthorized cryptocurrency mining processes and network connections to known mining pools can help detect active infections.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.