A major malware campaign named StaryDobry infected gamers by distributing trojanized versions of popular games like Garry’s Mod, BeamNG.drive, and Dyson Sphere Program via torrent sites. The malware, embedded in game installers, leveraged the high processing power of gaming PCs to run XMRig cryptocurrency miner and fill the pockets of cybercriminal actors.
StaryDobry Delivers XMRig Miner Malware in BeamNG, Garry’s Mod
Cybersecurity researchers have uncovered a massive malware spreading campaign. Coined StaryDobry, it has been targeting gamers by distributing trojanized versions of cracks for popular games. These include Garry’s Mod, BeamNG.drive, and Dyson Sphere Program. All of the weaponized versions were promoted on websites dedicated to unlicensed software and p2p sharing.
The campaign, which started in December 2024 and lasted until late January 2025, primarily targeted users in Germany, Russia, Brazil, Belarus, and Kazakhstan. There are a few posts with malicious distributions still available on the websites, although written in Russian.
The malware was embedded within game installers and spread widely over the holiday season when torrent activity peaks. Once installed, the malware delivered an XMRig cryptominer, exploiting gaming PCs’ high processing power for mining Monero cryptocurrency.
Interestingly, a compromised BeamNG.drive mod was reportedly linked to a breach at Disney in mid-2024. While some believe this was a coincidence rather than a targeted attack, the presence of malware in a mod used within a major corporation, it’s probably a tradition by now. Despite thorough analysis, no direct attribution to a known threat group has been made, though the campaign appears to have Russian-speaking origins.
Technical Details
The infection chain begins in a rather typical manner – with users downloading cracked game installers from p2p networks. These installers contained the legitimate game alongside a hidden malware dropper (unrar.dll). By the way, I have repeatedly mentioned that pirating is not good, I even wrote a separate post about it.
Upon installation, the dropper executed in the background, checking for virtual machines or security tools before proceeding. If no threats were detected, the malware registered itself using regsvr32.exe for persistence. It then collected system information, including OS details, CPU specs, and GPU capabilities. The data was then sent to the command and control (C2) server at pinokino[.]fun.
Payload Deployment
Next, the malware decrypted and installed a secondary loader (MTX64.exe), disguising it as a Windows system file to evade detection. This loader created a scheduled task for persistence and ensured that only systems with at least eight CPU cores would proceed with the crypto mining operation. If the conditions were met, the loader downloaded and launched a modified version of the XMRig miner.
This miner was customized to avoid detection by constructing its configuration internally instead of using traditional arguments. It also continuously monitored system processes, shutting itself down if security tools were detected. Unlike standard XMRig miners, this variant connected to private mining servers rather than public pools, making it harder to track the stolen computational power.
Researchers observed that the malware used extensive evasion techniques. These included file name spoofing, timestamp manipulation, and encrypted communication with C2 servers. The campaign appeared highly opportunistic, leveraging the increased demand for cracked games during the holiday season to infect as many users as possible.
How To Stay Safe
The simplest way to avoid infection is to stay away from pirated software and torrent sites. However, in the case of BeamNG.drive mods, even legitimate users could unknowingly install malware, meaning vigilance is required beyond just avoiding piracy. It’s crucial to verify the source of all software, especially game mods, and to rely on trusted developers.
Users should also monitor system performance, as unexpected slowdowns or high CPU usage may indicate cryptominer activity. To minimize risks, users should employ reputable anti-malware solutions that can detect and block such threats. GridinSoft Anti-Malware is an effective tool for identifying and removing StaryDobry malware. Download it by clicking the banner below and activate the protection right now!
