Malware Alert: Hackers Exploit Bypassing Tools to Distribute Miners via YouTube
Hackers are exploiting tools designed to bypass internet restrictions to distribute malware, including cryptocurrency miners, targeting users through compromised YouTube channels. Learn how to protect yourself.
Windows Packet Divert drivers, used for intercepting and modifying network traffic, have surged in popularity in Russia over the past six months. From August 2024 to January 2025, their detection rate nearly doubled, primarily due to their use in tools designed to circumvent restrictions on accessing well-known international resources.
This increased popularity has not gone unnoticed by cybercriminals. They are actively distributing malware disguised as tools to bypass these restrictions, often leveraging blackmail tactics against bloggers. Therefore, exercise extreme caution when watching videos titled “How to Bypass Block…” Even the most trusted content creators may unknowingly distribute stealers, miners, and other malicious software.
This article explores how cybercriminals are profiting from internet restrictions and the role bloggers play in this scheme.
Hackers Mimic Legitimate Developers
While numerous software solutions exist for bypassing restrictions on accessing international resources, they share a common trait: they are often created by relatively unknown developers. These programs spread organically: an enthusiast writes code, shares it with friends, and publishes a video tutorial. Suddenly, a previously unknown programmer becomes a “people’s savior,” their GitHub repository gains over ten thousand stars, and users express gratitude for the ability to access familiar resources. We recently covered a similar case where cybercriminals promoted a repository containing malicious code in a Kaspersky Daily blog post.
These enthusiasts may number in the dozens or even hundreds, but who are they, and can they be trusted? These are critical questions that both current and potential users of such programs should consider. Be particularly wary of recommendations from these developers to disable antivirus software. Disabling your protection to grant a potential hacker access to your device is a risky proposition.
Image: Warning message urging users to disable antivirus software due to “false positives.”
Of course, a hacker could easily masquerade as a “people’s savior” and exploit such advice. An unprotected device becomes vulnerable to families of malware like NJRat, XWorm, Phemedrone, and DCRat, which are commonly distributed alongside these tools.
The Role of Bloggers
We discovered an active campaign distributing a cryptocurrency miner that has affected at least two thousand victims in Russia. One source of infection was a YouTube channel with 60,000 subscribers. The blogger posted several videos with instructions on bypassing restrictions, including a link to a malicious archive in the description. These videos collectively garnered over 400,000 views. The channel owner later removed the link, leaving a note: “Download the file here: (program does not work)”. Initially, the link led to a fraudulent website, gitrok[.]com, hosting the infected archive. According to the website’s counter, the tool for bypassing restrictions had been downloaded at least 40,000 times at the time of the investigation.
Image: The download page for the bypassing tool.
However, it’s important not to place all the blame on bloggers. In this scenario, they were merely pawns in the cybercriminals’ scheme. The attackers filed complaints against videos with instructions on bypassing restrictions, posing as the software developers. They then contacted the video creators, requesting them to create new videos (to remove the previous strike) but with a link to the fraudulent website, claiming it was the “official website, and the tool can now only be downloaded from there.” The bloggers were unaware that the website distributed malware, specifically a cryptocurrency miner. Content creators who had made three or more videos on the topic had no option to refuse, as the attackers threatened to file complaints against their channels, leading to their removal.
In addition, the attackers distributed malware and video instructions for installation through other Telegram and YouTube channels. While most of these have been removed, there is nothing to prevent the distributors of malware from creating new ones.
The Cryptocurrency Miner
The downloaded malicious file was a sample of SilentCryptoMiner, which we described in October 2024. This is a hidden miner built on XMRig, another open-source miner. SilentCryptoMiner supports mining various popular cryptocurrencies, including ETH, ETC, XMR, and RTM. The malware can stop mining during the activity of certain processes, which can be remotely specified by the attackers, to conceal the program’s activity. This makes it difficult to detect without reliable protection.
More details about the contents of the malicious archive and how it establishes persistence in the system can be found in the publication on Securelist.
How to Protect Yourself from Miners
- Install proven security solutions on all personal devices to protect them from miners and other malicious programs.
- Avoid downloading programs from unofficial and unknown sources. Prefer official resources, but remember that malware can sometimes infiltrate even those.
- Remember that even the most well-known and trusted bloggers can unknowingly become victims of cybercriminals and distribute miners, stealers, and other types of malware.