{"id":3366,"date":"2026-05-28T08:04:04","date_gmt":"2026-05-28T08:04:04","guid":{"rendered":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/28\/pirates-in-the-crosshairs-how-one-cybercrime-gang-has-been-infecting-book-movie-and-tv-show-fans-for-years\/"},"modified":"2026-05-28T08:04:04","modified_gmt":"2026-05-28T08:04:04","slug":"pirates-in-the-crosshairs-how-one-cybercrime-gang-has-been-infecting-book-movie-and-tv-show-fans-for-years","status":"publish","type":"post","link":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/28\/pirates-in-the-crosshairs-how-one-cybercrime-gang-has-been-infecting-book-movie-and-tv-show-fans-for-years\/","title":{"rendered":"Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years"},"content":{"rendered":"<div>\n<p><img width=\"990\" height=\"400\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/28052031\/mainers-scaled-1-990x400.jpg\" class=\"attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image\" alt=\"\" decoding=\"async\" loading=\"lazy\"><\/p>\n<h2 id=\"introduction\">Introduction<\/h2>\n<p>In late April 2026, a client reached out to us for incident response support after discovering a miner running on users\u2019 computers. We later discovered that the malware was being distributed via illegal movie and TV show streaming sites. The infection chain leveraged a fake update for a video player plugin. When the user attempted to watch a video, the player displayed a message saying the plugin version was outdated and asking to install an update to continue.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/27213823\/pirates-miners-rat1.png\" class=\"magnificImage\"><img fetchpriority=\"high\" decoding=\"async\" class=\"aligncenter size-full wp-image-119945\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/27213823\/pirates-miners-rat1.png\" alt=\"\" width=\"1336\" height=\"343\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/27213823\/pirates-miners-rat1.png 1336w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/27213823\/pirates-miners-rat1-300x77.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/27213823\/pirates-miners-rat1-1024x263.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/27213823\/pirates-miners-rat1-768x197.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/27213823\/pirates-miners-rat1-740x190.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/27213823\/pirates-miners-rat1-1091x280.png 1091w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/27213823\/pirates-miners-rat1-800x205.png 800w\" sizes=\"(max-width: 1336px) 100vw, 1336px\"><\/a><\/p>\n<p>Clicking the link downloaded a ZIP archive with the following contents:<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/27213849\/pirates-miners-rat2.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-119946\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/27213849\/pirates-miners-rat2.png\" alt=\"\" width=\"900\" height=\"129\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/27213849\/pirates-miners-rat2.png 900w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/27213849\/pirates-miners-rat2-300x43.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/27213849\/pirates-miners-rat2-768x110.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/27213849\/pirates-miners-rat2-740x106.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/27213849\/pirates-miners-rat2-800x115.png 800w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\"><\/a><\/p>\n<p>The archive contained a legitimate executable, <code>HLS Installer.874.exe<\/code>, alongside a malicious DLL. Launching the EXE triggered a DLL side-loading mechanism, injecting the malicious module into a legitimate program process and executing code within its context. The library contained the logic for deploying the miner and establishing persistence on the device.<\/p>\n<p>At the time of the investigation, the infection risk was associated with two pirated video sites in the .ru and .top TLDs.<\/p>\n<h2 id=\"link-to-previous-campaigns\">Link to previous campaigns<\/h2>\n<p>The current incident does not appear to be an isolated case. After analyzing the infection vector and the logic of the DLL, we concluded that this activity is a continuation of a campaign involving pirated digital libraries, which was previously described by <a href=\"https:\/\/www.f6.ru\/blog\/miners-free-libraries\/\" target=\"_blank\" rel=\"noopener\">another cybersecurity company<\/a>.<\/p>\n<p>The delivery mechanism for the malicious archive has remained virtually unchanged. Previously, the archive was downloaded in parts from the domain file[.]ipfs[.]us[.]69[.]mu, but this domain was unavailable at the time of our investigation. Instead, the threat actor employed a new website, urush1bar4[.]online.<\/p>\n<p>The structure of the archive has also been preserved: inside is a legitimate executable and a large malicious DLL (see the screenshot below).<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/28045843\/mainers_book_blur.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-119958\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/28045843\/mainers_book_blur-1024x528.png\" alt=\"\" width=\"1024\" height=\"528\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/28045843\/mainers_book_blur-1024x528.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/28045843\/mainers_book_blur-300x155.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/28045843\/mainers_book_blur-768x396.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/28045843\/mainers_book_blur-679x350.png 679w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/28045843\/mainers_book_blur-740x382.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/28045843\/mainers_book_blur-543x280.png 543w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/28045843\/mainers_book_blur-800x412.png 800w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/28045843\/mainers_book_blur.png 1158w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\"><\/a><\/p>\n<p>In the course of our research, we also discovered a blog post by <a href=\"https:\/\/jp.security.ntt\/insights_resources\/tech_blog\/102icvb\/\" target=\"_blank\" rel=\"noopener\">NTT Security<\/a> describing a similar delivery method for a malicious archive. In that instance, the threat actors displayed a fake browser crash page (shown below) while simultaneously downloading an archive to the device with a name starting with chromium-patch-nightly.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/27214013\/pirates-miners-rat4.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-119948\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/27214013\/pirates-miners-rat4.png\" alt=\"\" width=\"875\" height=\"384\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/27214013\/pirates-miners-rat4.png 875w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/27214013\/pirates-miners-rat4-300x132.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/27214013\/pirates-miners-rat4-768x337.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/27214013\/pirates-miners-rat4-798x350.png 798w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/27214013\/pirates-miners-rat4-740x325.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/27214013\/pirates-miners-rat4-638x280.png 638w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/27214013\/pirates-miners-rat4-800x351.png 800w\" sizes=\"auto, (max-width: 875px) 100vw, 875px\"><\/a><\/p>\n<p>This scenario resembles the current scheme involving the fake video player plugin update. Given the previously described activity, it\u2019s safe to assume that this campaign has been active since at least 2022. Throughout this entire period, the threat actor has been updating both the downloadable malware and individual parts of the infection mechanism.<\/p>\n<h2 id=\"potential-distribution-scale\">Potential distribution scale<\/h2>\n<p>As in previous episodes of the campaign, infections occur via highly popular websites. As of late April 2026, sites linked to the campaign typically displayed extremely high monthly traffic. For instance, the audience for the smallest of the free digital libraries stood at 11,000 users, while the largest reached 4.7 million. For pirated movie and TV show streaming sites, this figure ranged from 2.1 million to 27.4 million. In April, the total number of visits to websites where the malware described in this study was detected reached 40 million.<\/p>\n<p>The popularity of these sites increases the potential scale of the miner\u2019s distribution. Furthermore, the campaign is not limited to a single type of platform: the malicious archive is being distributed through both online digital libraries and movie and TV show streaming sites. This broadens the potential range of victims and makes it more difficult to attribute the threat to a single infection vector.<\/p>\n<h2 id=\"the-downloadable-archive\">The downloadable archive<\/h2>\n<p>The current version of the downloadable malware is a ZIP archive containing a legitimate EXE file and a malicious DLL. When the executable runs, the library side-loads into its process, triggering the malicious logic.<\/p>\n<p>The technical analysis that follows covers the current version of this malware. This version was first observed in April 2025 and has been distributed unmodified for over a year.<\/p>\n<h2 id=\"dll-analysis\">DLL analysis<\/h2>\n<p>Most of the data inside the DLL carries no meaningful weight and was randomly generated just to inflate the file size and impede analysis.<\/p>\n<p>Amidst the large volume of junk code inside the DLL, there is a single function that triggers a stack overflow during execution:<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/27214057\/pirates-miners-rat5.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-119949\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/27214057\/pirates-miners-rat5.png\" alt=\"\" width=\"479\" height=\"427\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/27214057\/pirates-miners-rat5.png 479w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/27214057\/pirates-miners-rat5-300x267.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/27214057\/pirates-miners-rat5-393x350.png 393w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/27214057\/pirates-miners-rat5-314x280.png 314w\" sizes=\"auto, (max-width: 479px) 100vw, 479px\"><\/a><\/p>\n<p>Based on the code, the size of the <code>stackBuf<\/code> buffer on the stack is only 64 bytes, and the <code>SmashStack<\/code> function overwrites this buffer without validating the length of the input data.<\/p>\n<p>This overflow constructs a ROP chain that decrypts the next stage. After decryption, it transfers execution to code located within the modified DOS header of the PE file:<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/27214133\/pirates-miners-rat6.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-119950\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/27214133\/pirates-miners-rat6.png\" alt=\"\" width=\"269\" height=\"397\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/27214133\/pirates-miners-rat6.png 269w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/27214133\/pirates-miners-rat6-203x300.png 203w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/27214133\/pirates-miners-rat6-237x350.png 237w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/27214133\/pirates-miners-rat6-190x280.png 190w\" sizes=\"auto, (max-width: 269px) 100vw, 269px\"><\/a><\/p>\n<p>The header was intentionally modified to make it into valid shellcode:<\/p>\n<pre class=\"urvanov-syntax-highlighter-plain-tag\">pop     r10\r\npush    r10\r\ncall    $+5\r\npop     rcx \r\nsub     rcx, 9\r\nmov     rax, rcx\r\nadd     rax, 5C1000h\r\ncall    rax\r\nretn<\/pre>\n<p>This shellcode passes control to a function located at offset <code>0x5C1000<\/code> from the base of the PE file. This function then reflectively loads the same PE file into memory.<\/p>\n<p>Going forward, we will refer to this decrypted PE file as the main module.<\/p>\n<h2 id=\"main-module\">Main module<\/h2>\n<p>The module\u2019s behavior across its different operational stages is detailed below:<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/28050141\/Miner-and-RAT_%D1%81%D1%85%D0%B5%D0%BC%D1%8B_1EN-scaled.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-119959\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/28050141\/Miner-and-RAT_%D1%81%D1%85%D0%B5%D0%BC%D1%8B_1EN-1024x542.png\" alt=\"\" width=\"1024\" height=\"542\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/28050141\/Miner-and-RAT_%D1%81%D1%85%D0%B5%D0%BC%D1%8B_1EN-1024x542.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/28050141\/Miner-and-RAT_%D1%81%D1%85%D0%B5%D0%BC%D1%8B_1EN-300x159.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/28050141\/Miner-and-RAT_%D1%81%D1%85%D0%B5%D0%BC%D1%8B_1EN-768x406.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/28050141\/Miner-and-RAT_%D1%81%D1%85%D0%B5%D0%BC%D1%8B_1EN-1536x812.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/28050141\/Miner-and-RAT_%D1%81%D1%85%D0%B5%D0%BC%D1%8B_1EN-2048x1083.png 2048w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/28050141\/Miner-and-RAT_%D1%81%D1%85%D0%B5%D0%BC%D1%8B_1EN-662x350.png 662w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/28050141\/Miner-and-RAT_%D1%81%D1%85%D0%B5%D0%BC%D1%8B_1EN-740x391.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/28050141\/Miner-and-RAT_%D1%81%D1%85%D0%B5%D0%BC%D1%8B_1EN-529x280.png 529w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/28050141\/Miner-and-RAT_%D1%81%D1%85%D0%B5%D0%BC%D1%8B_1EN-800x423.png 800w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\"><\/a><\/p>\n<p>The main module is a modified fork of the SilentCryptoMiner project. We have previously analyzed miners leveraging this project in other posts: <a href=\"https:\/\/securelist.com\/miner-campaign-misuses-open-source-siem-agent\/114022\/\" target=\"_blank\" rel=\"noopener\">Scam Information and Event Management<\/a> and <a href=\"https:\/\/securelist.com\/silentcryptominer-spreads-through-blackmail-on-youtube\/115788\/\" target=\"_blank\" rel=\"noopener\">Undercover miner: how YouTubers get pressed into distributing SilentCryptoMiner as a restriction bypass tool<\/a>. However, this specific fork has not been documented anywhere before, which is why we decided to break down its unique features in detail in this article.<\/p>\n<p>Upon an initial run, the main module checks whether it has permission to proceed with execution. To do this, it collects the following data from the victim\u2019s device:<\/p>\n<ul>\n<li>Processor information<\/li>\n<li>The serial number of the C:\/ drive<\/li>\n<li>Whether the process was launched with elevated privileges<\/li>\n<li>The process start time in Unix timestamp format<\/li>\n<\/ul>\n<p>The information is transmitted as a single large DNS query using the DNS tunneling technique. An example of the DNS query is shown below:<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/28050250\/Miner-and-RAT_%D1%81%D1%85%D0%B5%D0%BC%D1%8B_2EN.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-119960\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/28050250\/Miner-and-RAT_%D1%81%D1%85%D0%B5%D0%BC%D1%8B_2EN-1024x478.png\" alt=\"\" width=\"1024\" height=\"478\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/28050250\/Miner-and-RAT_%D1%81%D1%85%D0%B5%D0%BC%D1%8B_2EN-1024x478.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/28050250\/Miner-and-RAT_%D1%81%D1%85%D0%B5%D0%BC%D1%8B_2EN-300x140.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/28050250\/Miner-and-RAT_%D1%81%D1%85%D0%B5%D0%BC%D1%8B_2EN-768x358.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/28050250\/Miner-and-RAT_%D1%81%D1%85%D0%B5%D0%BC%D1%8B_2EN-1536x716.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/28050250\/Miner-and-RAT_%D1%81%D1%85%D0%B5%D0%BC%D1%8B_2EN-750x350.png 750w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/28050250\/Miner-and-RAT_%D1%81%D1%85%D0%B5%D0%BC%D1%8B_2EN-740x345.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/28050250\/Miner-and-RAT_%D1%81%D1%85%D0%B5%D0%BC%D1%8B_2EN-600x280.png 600w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/28050250\/Miner-and-RAT_%D1%81%D1%85%D0%B5%D0%BC%D1%8B_2EN-800x373.png 800w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/28050250\/Miner-and-RAT_%D1%81%D1%85%D0%B5%D0%BC%D1%8B_2EN.png 2022w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\"><\/a><\/p>\n<p>The attackers disguise the DNS query as legitimate traffic through low-level packet crafting and by using a domain name ending in microsoft.com. However, the IP address to which the query is actually sent has no relation to Microsoft.<\/p>\n<div id=\"attachment_119953\" style=\"width: 775px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/27214408\/pirates-miners-rat9.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-119953\" class=\"size-full wp-image-119953\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/27214408\/pirates-miners-rat9.png\" alt=\"DNS query crafting code\" width=\"765\" height=\"1045\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/27214408\/pirates-miners-rat9.png 765w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/27214408\/pirates-miners-rat9-220x300.png 220w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/27214408\/pirates-miners-rat9-750x1024.png 750w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/27214408\/pirates-miners-rat9-256x350.png 256w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/27214408\/pirates-miners-rat9-732x1000.png 732w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/27214408\/pirates-miners-rat9-205x280.png 205w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/27214408\/pirates-miners-rat9-659x900.png 659w\" sizes=\"auto, (max-width: 765px) 100vw, 765px\"><\/a><\/p>\n<p id=\"caption-attachment-119953\" class=\"wp-caption-text\">DNS query crafting code<\/p>\n<\/div>\n<p>The execution of the main module proceeds only if the following byte sequence is detected in the response: <code>01 02 03 04<\/code>. Following a successful check, the main module launches, and the subsequent logic is adjusted depending on whether the process has elevated privileges on the compromised host.<br \/>\nLet\u2019s look at both scenarios:<\/p>\n<p><strong> 1. The process is launched with elevated privileges. <\/strong><\/p>\n<p>In this case, preparatory steps precede the miner launch:<\/p>\n<ul>\n<li>The malware adds Windows Defender exclusions for EXE and DLL files, as well as for the <code>%USERPROFILE%<\/code>, <code>%PROGRAMDATA%<\/code>, and <code>%WINDIR%<\/code> folders.<\/li>\n<li>It kills Microsoft\u2019s Malicious Software Removal Tool (<a href=\"https:\/\/en.wikipedia.org\/wiki\/Malicious_Software_Removal_Tool\" target=\"_blank\" rel=\"noopener\">MSRT<\/a>) by calling <code>ZwSetInformationFile<\/code> with the <code>FileDispositionInformation<\/code> type, which causes the mrt.exe file to be deleted upon closing. To prevent MSRT from being automatically installed during the next update, the <code>DontOfferThroughWUAU<\/code> parameter is created with a value of 1 under the <code>HKLMSoftwarePoliciesMicrosoftMRT<\/code> registry key.<\/li>\n<li>Automatic hibernation and sleep mode are disabled for when the device is running on both AC power and battery.<\/li>\n<\/ul>\n<pre class=\"urvanov-syntax-highlighter-plain-tag\">powercfg \/x -hibernate-timeout-ac 0\r\npowercfg \/x -hibernate-timeout-dc 0\r\npowercfg \/x -standby-timeout-ac 0\r\npowercfg \/x -standby-timeout-dc 0<\/pre>\n<p>This is done to maximize the miner\u2019s potential runtime on the device.<\/p>\n<p>Next, to achieve persistence, a copy is created in the <code>C:ProgramDataGoogleChrome<\/code> directory, after which the <code>GoogleUpdateTaskMachineQC<\/code> service is registered and configured to launch automatically at system startup.<\/p>\n<p>Finally, four reflexive loads are executed: the components are injected directly into the memory of the target processes without writing to disk, having bypassed standard Windows loading mechanisms. Each implant is injected into its own host process:<\/p>\n<ul>\n<li>RAT agent   \u2192   into conhost.exe<\/li>\n<li>Watchdog   \u2192   into explorer.exe<\/li>\n<li>CPU miner   \u2192   into explorer.exe<\/li>\n<li>GPU miner   \u2192   into explorer.exe, but only if a discrete GPU is present in the system. This is verified by enumerating all display adapters in the system.<\/li>\n<\/ul>\n<p><strong> 2. The process is launched with standard privileges. <\/strong><\/p>\n<p>In this scenario, the miner begins repeatedly triggering User Account Control (UAC) prompts until it is successfully executed with elevated privileges. The workflow is as follows:<\/p>\n<ol>\n<li>Upon initial execution, a copy is made to the <code>%USERPROFILE%AppDataRoamingSandboxie<\/code> directory and relaunched from there. Simultaneously, an attempt is made to launch it with elevated privileges via UAC.<\/li>\n<li>If execution occurs from the Sandboxie folder:<\/li>\n<\/ol>\n<ul>\n<li>Persistence is configured for the miner copy in this folder by adding an entry to <code>HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun<\/code>.<\/li>\n<li>Every three minutes, an attempt is made to launch with elevated privileges via UAC until the <code>GoogleUpdateTaskMachineQC<\/code> service is successfully installed.<\/li>\n<\/ul>\n<p>A successful installation requires all of the following conditions to be met:<\/p>\n<ol>\n<li>The <code>GoogleUpdateTaskMachineQC<\/code> service exists in the system.<\/li>\n<li>The Start value for this service is set to 2 (Automatic).<\/li>\n<li>The ImagePath value points to a file in the <code>C:ProgramDataGoogleChrome folder<\/code>.<\/li>\n<li>This file exists on disk.<\/li>\n<\/ol>\n<h2 id=\"watchdog\">Watchdog<\/h2>\n<p>The purpose of this component is to ensure the uninterrupted operation of the miner. At the very beginning of its execution, it copies all files from the <code>C:ProgramDataGoogleChrome<\/code> folder and encrypts the contents of each file using a cyclic XOR algorithm with the key <code>AFeIboiOmImJS2ypJU0pTpAO61SELkUc<\/code>. After that, the encrypted contents are written into the process memory, and the following structure is created in memory for each file:<\/p>\n<pre class=\"urvanov-syntax-highlighter-plain-tag\">class FileContainer{\r\n\twchar_t* fullPath; \/\/ full path to file\r\n\tsize_t* ptrSize;   \/\/ pointer to file size\r\n\tuint8_t* xorEncryptedFile; \/\/pointer to buffer containing encrypted file contents\r\n};<\/pre>\n<p>As soon as the contents of all files are saved in memory, Watchdog enters an infinite loop, where every five seconds, it checks the integrity of the installed GoogleUpdateTaskMachineQC service, just as the main module does. If the service is found to be incorrectly installed, the miner overwrites its files in the <code>C:ProgramDataGoogleChrome<\/code> path with the contents acquired at startup.<\/p>\n<p>To successfully remediate the miner, this module, which runs inside the explorer.exe process, must be terminated first.<\/p>\n<h2 id=\"rat-agent\">RAT agent<\/h2>\n<p>This module provides remote control capabilities via four commands, which are described at the end of this section. The command-and-control addresses used to receive these commands follow this format:<\/p>\n<ul>\n<li><code>http:\/\/{domain}.space\/index.php?authorization=1<\/code><\/li>\n<li><code>http:\/\/{domain}.site\/index.php? backup version<\/code><\/li>\n<\/ul>\n<p>The <code>{domain}<\/code> is calculated based on the current date. The process starts with the current year, then adds the zone identifier for the current month. All 12 months are divided into four zones. Finally, the word <code>microsoft<\/code> is appended to the resulting string. This final string is used as the input for subsequent double hashing using the <code>MurmurHash64<\/code> algorithm. The hash output is the domain for the implant to communicate with.<\/p>\n<p>At the time of writing this, the following domains were registered:<\/p>\n<ul>\n<li>2025, April-July  \u2192  5d14vnfb[.]space<\/li>\n<li>2025, August-November  \u2192  r7mvjl67[.]space<\/li>\n<li>2025, December \u2192 zgj1tam9[.]space<\/li>\n<li>2026, January-March \u2192 jeaw520i[.]space<\/li>\n<li>2026, April\u2013July \u2192 qdmagva5[.]space<\/li>\n<\/ul>\n<p>An example of a request to the C2 server is provided below:<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/27214732\/pirates-miners-rat10.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-119954\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/27214732\/pirates-miners-rat10.png\" alt=\"\" width=\"545\" height=\"161\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/27214732\/pirates-miners-rat10.png 545w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/27214732\/pirates-miners-rat10-300x89.png 300w\" sizes=\"auto, (max-width: 545px) 100vw, 545px\"><\/a><\/p>\n<p>As can be seen, the request contains an encrypted body consisting of data encrypted via AES-CBC with the key <code>0123456789abcdef0123456789abcdef<\/code> and the initialization vector <code>000102030405060708090a0b0c0d0e0f<\/code>. The data contains a list of installed programs on the system, along with processor information and the serial number of the C: drive.<\/p>\n<p><a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/28050344\/mainers_list.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-119961\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/28050344\/mainers_list-1024x126.png\" alt=\"\" width=\"1024\" height=\"126\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/28050344\/mainers_list-1024x126.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/28050344\/mainers_list-300x37.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/28050344\/mainers_list-768x95.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/28050344\/mainers_list-740x91.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/28050344\/mainers_list-800x98.png 800w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/28050344\/mainers_list.png 1527w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\"><\/a><\/p>\n<p>This information is likely used by the backend to check for virtual or debugging environments.<\/p>\n<p>The first 16 bytes of the server response body represent the initialization vector for the AES-CBC algorithm with the key <code>0123456789abcdef0123456789abcdef<\/code>, while the remaining bytes are the data encrypted with this algorithm. The decrypted data contains a malicious payload, as well as its RSA-SHA256 signature (sign):<\/p>\n<pre class=\"urvanov-syntax-highlighter-plain-tag\">struct PLAINTEXT{ \r\nuint32_t len_payload; \r\nuint8_t payload[len_payload]; \r\nuint32_t len_sign; \r\nuint8_t sign[len_signature]; \r\n}<\/pre>\n<p>The authenticity of the message is verified via the sign signature using the server\u2019s public key, which is embedded in the executable.<\/p>\n<p>Inside the malicious payload is a 4-byte code that determines the subsequent behavior of the program, along with additional data whose meaning depends on the code.<\/p>\n<p>The table below lists the four remote control commands for the RAT agent module.<\/p>\n<table>\n<tbody>\n<tr>\n<td>Code<\/td>\n<td>Purpose<\/td>\n<\/tr>\n<tr>\n<td>1<\/td>\n<td>Execution of an arbitrary command<\/td>\n<\/tr>\n<tr>\n<td>2<\/td>\n<td>Reflexive execution of the provided PE file within the explorer.exe process<\/td>\n<\/tr>\n<tr>\n<td>3<\/td>\n<td>Execution of the provided shellcode<\/td>\n<\/tr>\n<tr>\n<td>4<\/td>\n<td>Exit<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2 id=\"the-miners\">The miners<\/h2>\n<p>Depending on whether a discrete GPU is present in the system, either the CPU miner alone or a combination of the CPU and GPU miners is launched. The CPU miner is based on XMRig, while the GPU miner supports multiple algorithms.<\/p>\n<p>Upon initial execution, both miners attempt to retrieve their startup configuration from a remote server. The potential addresses are listed below:<\/p>\n<ul>\n<li>\u201c{domain}.strangled.net\u201d<\/li>\n<li>\u201c{domain}.ignorelist.com\u201d<\/li>\n<li>\u201c{domain}.ftp.sh\u201d<\/li>\n<li>\u201c{domain}.zanity.net\u201d<\/li>\n<\/ul>\n<p>As with the RAT agent component, the server address is generated from the current date \u2014 in this case, the server address changes every week. This results in quite a large number of domains for the 2020\u20132030 period; however, all of them point to the same IP address: 107[.]172[.]212[.]235. The first available domain out of the four potential domains listed above will be used.<\/p>\n<p>The algorithm for retrieving the configuration from the server is completely identical to that used by the RAT agent, with the sole exception that <code>th1s1sth3key0f4n1ntere5t1ngw0rld<\/code> is used as the AES-CBC key in this scenario, and the configuration resides within the payload. The retrieved configuration is encrypted via AES-CBC using the key <code>UXUUXUUXUUCommandULineUUXUUXUUXU<\/code> and the initialization vector <code>UUCommandULineUU<\/code>. The encrypted data is then converted into a base64 string, which is passed as a command-line parameter to launch the miner inside the explorer.exe process through process hollowing.<\/p>\n<h2><strong>Conclusion<\/strong><\/h2>\n<p>Our investigation focused on an ongoing campaign distributing miners via popular illegal content sites. The threat actors leverage a variety of sites, ranging from online libraries to movie and TV show streaming platforms. There is no telling what channels they will use to distribute the malicious archive in the future. However, the current case shows that users visiting pirated websites continue to take a serious risk.<\/p>\n<p>Our products detect this malware with the following Generic verdicts:<\/p>\n<ul>\n<li>HEUR:Trojan.Win64.DllHijack.gen<\/li>\n<li>MEM:Trojan.Win32.SEPEH.gen<\/li>\n<\/ul>\n<h2 id=\"indicators-of-compromise\">Indicators of Compromise<\/h2>\n<p><strong>Malicious archive download URL<\/strong><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/urush1bar4.online\/results?icid=gl_sl_post-opentip_sm-team_970020ae7831fbed&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">urush1bar4[.]online<\/a><\/p>\n<p><strong>Malicious DLL libraries:<\/strong><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/6a0fe6065d76715feebc1526d456db73\/results?icid=gl_sl_post-opentip_sm-team_2fa9e8d53c3b4ade&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">6A0FE6065D76715FEEBC1526D456DB73<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/7f624407ae489324e96a708a09c17e6f\/results?icid=gl_sl_post-opentip_sm-team_72f3552f05faed8a&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">7F624407AE489324E96A708A09C17E6F<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/02a43b3423367b9dddc24cc7dfc070df\/results?icid=gl_sl_post-opentip_sm-team_c9975fe6572b6e59&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">02A43B3423367B9DDDC24CC7DFC070DF<\/a><\/p>\n<p><strong>RAT C&amp;C:<\/strong><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/5d14vnfb.space\/results?icid=gl_sl_post-opentip_sm-team_259c7fc768a47ca3&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">5d14vnfb[.]space<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/r7mvjl67.space\/results?icid=gl_sl_post-opentip_sm-team_9a8a6a11c9b9460b&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">r7mvjl67[.]space<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/zgj1tam9.space\/results?icid=gl_sl_post-opentip_sm-team_65f3fd4bacf8dd2f&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">zgj1tam9[.]space<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/jeaw520i.space\/results?icid=gl_sl_post-opentip_sm-team_645eb84ffcff1021&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">jeaw520i[.]space<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/qdmagva5.space\/results?icid=gl_sl_post-opentip_sm-team_500047bbf7cb1ebc&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">qdmagva5[.]space<\/a><\/p>\n<p><strong>Configuration retrieval address<\/strong><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/107.172.212.235\/results?icid=gl_sl_post-opentip_sm-team_626c89465c9ba78a&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">107[.]172[.]212[.]235<\/a><\/p>\n<p><strong><code>UnamWebPanel<\/code> control panel addresses<\/strong><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/m4yuri.online\/results?icid=gl_sl_post-opentip_sm-team_99da632f26d35d23&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">m4yuri[.]online<\/a><br \/>\n<a href=\"https:\/\/opentip.kaspersky.com\/kristina.quest\/results?icid=gl_sl_post-opentip_sm-team_c7cba255885722e4&amp;utm_source=SL&amp;utm_medium=SL&amp;utm_campaign=SL\" target=\"_blank\" rel=\"noopener\">kristina[.]quest<\/a><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Introduction In late April 2026, a client reached out to us for incident response support after discovering a miner running on users\u2019 computers. We later discovered that the malware was being distributed via illegal movie and TV show streaming sites. The infection chain leveraged a fake update for a video player plugin. When the user [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[1217,90,232,233,259,324,94,1218,923,1220,257,1219],"tags":[91],"class_list":["post-3366","post","type-post","status-publish","format-standard","hentry","category-browser-plugins","category-cybersecurity","category-malware-descriptions","category-malware-technologies","category-microsoft-windows","category-miner","category-phishing","category-piracy","category-rat-trojan","category-silentcryptominer","category-windows-malware","category-xmrig","tag-cybersecurity"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years - Imperative Business Ventures Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/28\/pirates-in-the-crosshairs-how-one-cybercrime-gang-has-been-infecting-book-movie-and-tv-show-fans-for-years\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years - Imperative Business Ventures Limited\" \/>\n<meta property=\"og:description\" content=\"Introduction In late April 2026, a client reached out to us for incident response support after discovering a miner running on users\u2019 computers. We later discovered that the malware was being distributed via illegal movie and TV show streaming sites. The infection chain leveraged a fake update for a video player plugin. When the user [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/28\/pirates-in-the-crosshairs-how-one-cybercrime-gang-has-been-infecting-book-movie-and-tv-show-fans-for-years\/\" \/>\n<meta property=\"og:site_name\" content=\"Imperative Business Ventures Limited\" \/>\n<meta property=\"article:published_time\" content=\"2026-05-28T08:04:04+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/28052031\/mainers-scaled-1-990x400.jpg\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"12 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/28\/pirates-in-the-crosshairs-how-one-cybercrime-gang-has-been-infecting-book-movie-and-tv-show-fans-for-years\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/28\/pirates-in-the-crosshairs-how-one-cybercrime-gang-has-been-infecting-book-movie-and-tv-show-fans-for-years\/\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"headline\":\"Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years\",\"datePublished\":\"2026-05-28T08:04:04+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/28\/pirates-in-the-crosshairs-how-one-cybercrime-gang-has-been-infecting-book-movie-and-tv-show-fans-for-years\/\"},\"wordCount\":2237,\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/28\/pirates-in-the-crosshairs-how-one-cybercrime-gang-has-been-infecting-book-movie-and-tv-show-fans-for-years\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/28052031\/mainers-scaled-1-990x400.jpg\",\"keywords\":[\"Cybersecurity\"],\"articleSection\":[\"Browser Plugins\",\"Cybersecurity\",\"Malware descriptions\",\"Malware Technologies\",\"Microsoft Windows\",\"Miner\",\"Phishing\",\"Piracy\",\"RAT Trojan\",\"SilentCryptoMiner\",\"Windows malware\",\"XMRig\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/28\/pirates-in-the-crosshairs-how-one-cybercrime-gang-has-been-infecting-book-movie-and-tv-show-fans-for-years\/\",\"url\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/28\/pirates-in-the-crosshairs-how-one-cybercrime-gang-has-been-infecting-book-movie-and-tv-show-fans-for-years\/\",\"name\":\"Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years - Imperative Business Ventures Limited\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/28\/pirates-in-the-crosshairs-how-one-cybercrime-gang-has-been-infecting-book-movie-and-tv-show-fans-for-years\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/28\/pirates-in-the-crosshairs-how-one-cybercrime-gang-has-been-infecting-book-movie-and-tv-show-fans-for-years\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/28052031\/mainers-scaled-1-990x400.jpg\",\"datePublished\":\"2026-05-28T08:04:04+00:00\",\"author\":{\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/28\/pirates-in-the-crosshairs-how-one-cybercrime-gang-has-been-infecting-book-movie-and-tv-show-fans-for-years\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/28\/pirates-in-the-crosshairs-how-one-cybercrime-gang-has-been-infecting-book-movie-and-tv-show-fans-for-years\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/28\/pirates-in-the-crosshairs-how-one-cybercrime-gang-has-been-infecting-book-movie-and-tv-show-fans-for-years\/#primaryimage\",\"url\":\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/28052031\/mainers-scaled-1-990x400.jpg\",\"contentUrl\":\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/28052031\/mainers-scaled-1-990x400.jpg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/28\/pirates-in-the-crosshairs-how-one-cybercrime-gang-has-been-infecting-book-movie-and-tv-show-fans-for-years\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.ibvl.in\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.ibvl.in\/#website\",\"url\":\"https:\/\/blog.ibvl.in\/\",\"name\":\"Imperative Business Ventures Limited\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.ibvl.in\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"caption\":\"admin\"},\"sameAs\":[\"https:\/\/blog.ibvl.in\"],\"url\":\"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years - Imperative Business Ventures Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/28\/pirates-in-the-crosshairs-how-one-cybercrime-gang-has-been-infecting-book-movie-and-tv-show-fans-for-years\/","og_locale":"en_US","og_type":"article","og_title":"Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years - Imperative Business Ventures Limited","og_description":"Introduction In late April 2026, a client reached out to us for incident response support after discovering a miner running on users\u2019 computers. We later discovered that the malware was being distributed via illegal movie and TV show streaming sites. The infection chain leveraged a fake update for a video player plugin. When the user [&hellip;]","og_url":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/28\/pirates-in-the-crosshairs-how-one-cybercrime-gang-has-been-infecting-book-movie-and-tv-show-fans-for-years\/","og_site_name":"Imperative Business Ventures Limited","article_published_time":"2026-05-28T08:04:04+00:00","og_image":[{"url":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/28052031\/mainers-scaled-1-990x400.jpg","type":"","width":"","height":""}],"author":"admin","twitter_card":"summary_large_image","twitter_misc":{"Written by":"admin","Est. reading time":"12 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/28\/pirates-in-the-crosshairs-how-one-cybercrime-gang-has-been-infecting-book-movie-and-tv-show-fans-for-years\/#article","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/28\/pirates-in-the-crosshairs-how-one-cybercrime-gang-has-been-infecting-book-movie-and-tv-show-fans-for-years\/"},"author":{"name":"admin","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"headline":"Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years","datePublished":"2026-05-28T08:04:04+00:00","mainEntityOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/28\/pirates-in-the-crosshairs-how-one-cybercrime-gang-has-been-infecting-book-movie-and-tv-show-fans-for-years\/"},"wordCount":2237,"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/28\/pirates-in-the-crosshairs-how-one-cybercrime-gang-has-been-infecting-book-movie-and-tv-show-fans-for-years\/#primaryimage"},"thumbnailUrl":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/28052031\/mainers-scaled-1-990x400.jpg","keywords":["Cybersecurity"],"articleSection":["Browser Plugins","Cybersecurity","Malware descriptions","Malware Technologies","Microsoft Windows","Miner","Phishing","Piracy","RAT Trojan","SilentCryptoMiner","Windows malware","XMRig"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/28\/pirates-in-the-crosshairs-how-one-cybercrime-gang-has-been-infecting-book-movie-and-tv-show-fans-for-years\/","url":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/28\/pirates-in-the-crosshairs-how-one-cybercrime-gang-has-been-infecting-book-movie-and-tv-show-fans-for-years\/","name":"Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years - Imperative Business Ventures Limited","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/28\/pirates-in-the-crosshairs-how-one-cybercrime-gang-has-been-infecting-book-movie-and-tv-show-fans-for-years\/#primaryimage"},"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/28\/pirates-in-the-crosshairs-how-one-cybercrime-gang-has-been-infecting-book-movie-and-tv-show-fans-for-years\/#primaryimage"},"thumbnailUrl":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/28052031\/mainers-scaled-1-990x400.jpg","datePublished":"2026-05-28T08:04:04+00:00","author":{"@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"breadcrumb":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/28\/pirates-in-the-crosshairs-how-one-cybercrime-gang-has-been-infecting-book-movie-and-tv-show-fans-for-years\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.ibvl.in\/index.php\/2026\/05\/28\/pirates-in-the-crosshairs-how-one-cybercrime-gang-has-been-infecting-book-movie-and-tv-show-fans-for-years\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/28\/pirates-in-the-crosshairs-how-one-cybercrime-gang-has-been-infecting-book-movie-and-tv-show-fans-for-years\/#primaryimage","url":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/28052031\/mainers-scaled-1-990x400.jpg","contentUrl":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/05\/28052031\/mainers-scaled-1-990x400.jpg"},{"@type":"BreadcrumbList","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/28\/pirates-in-the-crosshairs-how-one-cybercrime-gang-has-been-infecting-book-movie-and-tv-show-fans-for-years\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.ibvl.in\/"},{"@type":"ListItem","position":2,"name":"Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years"}]},{"@type":"WebSite","@id":"https:\/\/blog.ibvl.in\/#website","url":"https:\/\/blog.ibvl.in\/","name":"Imperative Business Ventures Limited","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.ibvl.in\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02","name":"admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","caption":"admin"},"sameAs":["https:\/\/blog.ibvl.in"],"url":"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/"}]}},"_links":{"self":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/3366","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/comments?post=3366"}],"version-history":[{"count":0,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/3366\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/media?parent=3366"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/categories?post=3366"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/tags?post=3366"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}