A sophisticated cryptocurrency mining campaign has surfaced that can compromise even air-gapped environments by using external storage devices to target systems This article explores trellix malware. . The malware is a multi-stage infection that prioritizes mining Monero cryptocurrency while putting in place tenacious defenses against removal.

This campaign uses worm-like propagation capabilities and kernel-level exploitation, which is different from standard cryptojacking operations. The attack starts with software bundles that are pirated and pose as genuine installers of office productivity suites. Total File Inventory (Source: Trellix) When the malware is run, it releases a number of components that cooperate to keep the infection going and increase mining productivity. A self-healing architecture is created by the operation's watchdog processes, which, when one component is terminated, cause others to restart it in a matter of seconds.

Trellix is the source of the circular dependency flowgraph. This threat's mode of propagation is especially worrisome. The campaign was discovered by Trellix analysts in late 2025, who discovered an operation that actively searches for external drives that have recently been connected.

The malware automatically copies itself to the device and creates hidden folders with misleading shortcuts when users insert external hard drives or USB flash drives. Through physical media transfer, this mechanism can penetrate air-gapped systems and allow lateral movement across networks. The architecture of the malware shows a conscious division between execution and command logic. To prevent activating security software, the controller manages monitoring and decision-making while maintaining its lightweight design.

Resource-intensive mining operations and aggressive defensive measures, such as stopping security tools or the genuine Windows Explorer process, are handled by distinct payload components.

Exploitation at the Kernel Level and Performance Enhancement The Bring Your Own Vulnerable Driver technique is the most technically complex part. WinRing0x64.sys, a valid but weak driver component with CVE-2020-14979, is dropped by the malware. Bypassing the operating system's hardware abstraction layer, this vulnerability enables the acquisition of Ring 0 kernel privileges.

Flowchart of handshakes (Source: Trellix) The malware disables hardware prefetchers that impede the effectiveness of the RandomX mining algorithm by altering CPU Model Specific Registers through kernel access. The Monero mining hashrate is increased by 15 to 50 percent as a result of this optimization. By using the legitimate digital signature of the vulnerable legacy driver, the method improves performance without creating a malicious driver. The campaign uses hardcoded logic to check the system date against December 23, 2025, and incorporates temporal controls.

The malware continues its infection procedures prior to this deadline, but then initiates a cleanup mode that ends components and removes dropped files, indicating a planned operational lifecycle. To stop vulnerable drivers from loading, organizations should use Windows Defender Application Control to enforce Microsoft's Vulnerable Driver Blocklist. Restricting removable media through device control policies can stop the worm's spread.

Web filtering should be set up to prevent outgoing connections to consumer-grade mining pools, and security teams should enforce security awareness training about the risks associated with pirated software. LinkedIn, X, and ZeroOwl should be set as a preferred source in Google.