Nitrokod’s covert mining campaign allegedly infected thousands of computers in 11 countries with malware. This was reported by experts at Check Point Research (CPR).

The attackers introduced stealth mining utilities to free apps based on popular services like Google Translate or YouTube Music.

The campaign is associated with Turkish software developer Nitrokod, which has been operating since 2019. The company offers seemingly free programs with no official desktop versions available.

Experts noted that most of these apps are easily built using the Chromium-based framework from official web pages without the need for development.

The popularity of the underlying source ensures high positions in search results. CPR experts noticed that the company’s software was distributed through well-known free software platforms such as Softpedia or uptodown.

The attackers managed to remain undetected for a long time due to the complex and multi-stage infection stage. The hidden module for installing the mining utility was activated a few weeks after installing the program on the computer.

The process of introducing malware was divided into six phases, disguised as updates, spaced out over time. At all stages, the installer removed traces in the logs, making it harder to detect.

After running XMRig’s Monero stealth mining tool, the malware activated it daily via scheduled tasks if the computer’s protection stopped it.

According to experts, the use of the XDR solution from the CPR made it possible to detect a large-scale covert mining campaign. The tool was able to identify each malware action, track it over time and correlate it to a single attack.

Recall that in December 2021, attackers distributed secret Monero miners via a torrent file with a pirated version of the movie Spider-Man: No Way Home.

Read ForkLog bitcoin news in our Telegram – cryptocurrency news, courses and analysis.