Details of a new cryptojacking campaign that uses pirated software bundles as lures to install a custom XMRig miner program on compromised hosts have been made public by cybersecurity researchers. In a technical report released last week, Trellix researcher Aswath A stated, "Analysis of the recovered dropper, persistence triggers, and mining payload reveals a sophisticated, multi-stage infection prioritizing maximum cryptocurrency mining hashrate, often destabilizing the victim system." "In addition, the malware has worm-like properties that allow it to propagate throughout external storage devices and move laterally even in environments where the air is cut off."

In order to trick unwary users into downloading executables containing malware, the attack uses social engineering decoys to advertise free premium software in the form of pirated software bundles, such as installers for office productivity suites.

The binary functions as the infection's central nervous system, managing various facets of the attack lifecycle by acting as an installer, watchdog, payload manager, and cleaner. Its modular architecture divides the monitoring functions from the main payloads that mine cryptocurrencies, escalate privileges, and remain active even after termination. "The attackers have developed a robust and extremely effective botnet by combining social engineering, worm-like propagation, legitimate software masquerades, and kernel-level exploitation."

The disclosure follows Darktrace's announcement that it had discovered a malware artifact that was most likely created using a large language model (LLM) that took advantage of the React2Shell vulnerability (CVE-2025-55182, CVSS score: 10.0) to download a Python toolkit. The toolkit then used the access to drop an XMRig miner by executing a shell command.

Researchers Nathaniel Bill and Nathaniel Jones said, "This campaign is proof that AI-based LLMs have made cybercrime more accessible than ever, even though the amount of money generated by the attacker in this case is relatively low, and cryptomining is far from a new technique." "This attacker generated a working exploit framework and compromised over 90 hosts with just one prompting session with a model, proving that the operational value of AI for adversaries should not be underestimated." According to WhoisXML API, attackers have also been using a toolkit called ILOVEPOOP to search for exposed systems that are still susceptible to React2Shell, probably in an attempt to set the stage for future attacks.

The U.S. government, defense, financial, and industrial sectors have been the focus of the probing activity. Alex Ronquillo, vice president of product at WhoisXML API, stated that "a mismatch between how it was built and how it was used is what makes ILOVEPOOP unusual."