Introduction
On December 31, cybercriminals launched a mass infection campaign, aiming to exploit reduced vigilance and increased torrent traffic during the holiday season. Our telemetry detected the attack, which lasted for a month and affected individuals and businesses by distributing the XMRig cryptominer. This previously unidentified actor is targeting users worldwide—including in Russia, Brazil, Germany, Belarus and Kazakhstan—by spreading trojanized versions of popular games via torrent sites.
In this report, we analyze how the attacker evades detection and launches a sophisticated execution chain, employing a wide range of defense evasion techniques.
Kaspersky’s products detect this threat as
Trojan.Win64.StaryDobry.*, Trojan-Dropper.Win64.StaryDobry.*, HEUR:Trojan.Win64.StaryDobry.gen.Initial infection
On December 31, while reviewing our telemetry, we first detected this massive infection. Further investigation revealed that the campaign was initially distributed via popular torrent trackers. Trojanized versions of popular games—such as BeamNG.drive, Garry’s Mod, Dyson Sphere Program, Universe Sandbox, and Plutocracy—were designed to launch a sophisticated infection chain, ultimately deploying a miner implant. These malicious releases were created in advance and uploaded around September 2024.
Infection timeline
Although the malicious releases were published by different authors, they were all cracked the same way.
Malicious torrent available for download
Among the compromised installers are popular simulator and sandbox games that require minimal disk space. Below is the distribution of affected users by game as of January 2025:
Infected users per game ( starydobry ruins delivering miner instead presents
