An ongoing cryptocurrency mining campaign that developed undetected since 2019 has been attributed to a Turkish-speaking agent called Nitrokod.

The mining campaign managed to make 111.000 victims until now, and all of them were fooled by its ability to mimic a desktop extension for Google Translate, for example.

A list of countries affected includes the United Kingdom, the United States, Sri Lanka, Greece, Israel, Germany, Turkey, Cyprus, Australia, Mongolia, and Poland.

How Does the Campaign Work?

The first step of the mining campaign involves sneaking malware through free software that can be downloaded from Softpedia, Uptodown, and other popular sites, shows Check Point, the discoverer of the campaign.

“The malicious tools can be used by anyone. They can be found by a simple web search, downloaded from a link, and installation is a simple double-click.”, said Maya Horowitz, vice president of research at Check Point, according to The Hacker News.

What is innovative is how the malware postpones its execution for up to 4 weeks and differentiates its malicious activity from the downloaded fake software to avoid detection.

The installation of the infected program is followed by deployment of an update executable to the disk that, in turn, kick-starts a four-stage attack sequence, with each dropper paving for the next, until the actual malware is dropped in the seventh stage.


Following the malware implementation, a configuration file is obtained through a link with a remote command-and-control (C2) server. This file then leads to coin mining activity.

Cryptocurrency Mining Campaign Goes Undetected Since 2019


Besides that, due to the large period of time from the moment of infection to the moment when the malware is dropped – almost a month -, the attack is even harder to trace. In that period the evidence trail is wiped clean, making the whole process especially difficult to map.

A notable aspect of the Nitrokod campaign is that the fake software offered for free are for services that do not have an official desktop version, such as Yandex Translate, Microsoft Translate, YouTube Music, MP3 Download Manager, and Pc Auto Shutdown.


If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.


New Golang Version: the Mining Process Increased By 15%

Cryptocurrency Security: How to Safely Invest in Digital Currency

10+ Cryptocurrency Fraud and Scams You Need to Pay Attention to

Leave a Reply

Your email address will not be published. Required fields are marked *