StaryDobry Attack: The Threat Exploiting Gaming Enthusiasts

A Deceptive Scheme Targeting Gamers

The StaryDobry attack is a large-scale campaign that leveraged the popularity of simulation and physics-based video games to infiltrate systems with a hidden cryptocurrency miner. Detected on December 31, 2024, this operation spanned a month and impacted users across multiple countries, including Russia, Brazil, Germany, Belarus, and Kazakhstan.

Cybercriminals behind this attack took advantage of individuals seeking free game downloads by distributing compromised installation files on torrent platforms. The infected files masqueraded as legitimate copies of popular games such as BeamNG.drive, Garry's Mod, Dyson Sphere Program, Universe Sandbox, and Plutocracy, luring unsuspecting users into installing malicious software.

Exploiting High-Performance Systems

The primary objective of the StaryDobry campaign was to deploy a cryptocurrency mining program on infected Windows machines. The chosen miner, XMRig, is widely known for its ability to harness system resources for Monero mining, a cryptocurrency favored by cybercriminals due to its emphasis on anonymity.

Targeting gaming enthusiasts was a strategic move, as gaming PCs typically possess powerful processors capable of sustaining prolonged mining operations. To maximize efficiency, the miner only activated on machines with at least eight CPU cores, ensuring optimal performance while avoiding detection on less capable devices.

A Multi-Layered Attack Strategy

The infection process began with manipulated game installers crafted using Inno Setup. These installers were uploaded to torrent platforms as early as September 2024, suggesting a well-planned campaign designed to reach a broad audience.

Once users launched the installer, a dropper file named unrar.dll was discreetly extracted and executed. This file employed advanced techniques to evade detection, checking whether it was operating in a debugging or sandboxed environment before proceeding.

Upon bypassing security checks, the malware retrieved the user's IP address and estimated their geographical location through external services. If this step failed, the system's location was automatically set to China or Belarus, although the reasoning behind this fallback remains unclear.

Deep System Infiltration and Evasion Techniques

After gathering preliminary information, the attack progressed by decrypting another executable, MTX64.exe. This component was written to the system under the name Windows.Graphics.ThumbnailHandler.dll and integrated with Windows Shell Extension functionality.

From this point, an additional layer of execution was introduced. A secondary payload named Kickstarter extracted an encrypted file and saved it under Unix.Directory.IconHandler.dll within the system's roaming credentials folder. This file facilitated communication with a remote command server, which delivered the final-stage payload—the miner implant itself.

To ensure persistence and avoid detection, the malware continuously monitored system processes, automatically terminating itself if task manager (taskmgr.exe) or process monitoring tools (procmon.exe) were detected. These evasion techniques significantly reduced the likelihood of security software flagging the operation.

A Customized Mining Operation

Rather than connecting to a public mining pool, the attackers opted to host their own mining infrastructure. This approach allowed them to maintain greater control over the operation and obscure financial transactions tied to the illicit mining activity.

Once activated, the miner executed predefined commands to initiate cryptocurrency mining, directing computing resources toward Monero generation. To prevent unnecessary exposure, it included a built-in monitoring function that halted operations if security analysis tools were detected.

Implications of the Attack

The StaryDobry campaign underscores the risks associated with downloading software from unofficial sources. While the immediate consequence for victims was the unauthorized use of computing resources, prolonged mining activity could degrade system performance, increase energy consumption, and shorten hardware lifespan.

For businesses, the presence of unauthorized mining software could disrupt productivity, elevate electricity costs, and expose networks to additional threats if attackers decided to expand their operations beyond mining activities.

Attribution and Open Questions

The identity of those behind the StaryDobry attack remains unknown. While evidence of Russian language usage was found within the malware samples, no definitive link has been established connecting the campaign to known cybercriminal groups.

This incident reminds us that threat actors continue to refine their methods, employing deception and evasion techniques to compromise systems worldwide. The ability to infiltrate devices through seemingly harmless game downloads highlights the evolving landscape of digital threats, reinforcing the importance of cybersecurity awareness among users and organizations alike.