A new malware campaign is infecting users with SilentCryptoMiner, a cryptocurrency miner disguised as a tool to bypass internet restrictions. According to Russian cybersecurity firm Kaspersky, hackers are increasingly using Windows Packet Divert (WPD) tools to spread malware under the guise of internet freedom software.

Victims are tricked into downloading malicious archives containing installation instructions that urge them to disable security software. Once installed, SilentCryptoMiner runs undetected, secretly mining cryptocurrency. Over 2,000 Russian users have already been compromised through a campaign that promoted the malware via a YouTube channel with 60,000 subscribers.

Attackers have escalated their tactics by impersonating legitimate developers and threatening YouTube creators with fake copyright strikes. Some were forced to post videos with malicious links to avoid losing their channels. By December 2024, the malware had also spread through Telegram and other YouTube channels, though many have since been taken down.

The malware uses process hollowing to inject its code into system processes, making it difficult to detect. It also checks if it’s running in a security sandbox and disables Windows Defender before launching its mining operation. To avoid detection, the miner inflates its file size to 690 MB and stops mining when certain processes are active. Hackers can even control it remotely through a web panel.

Cybersecurity experts warn users to never disable antivirus software when installing unknown programs and to be cautious of tools that promise to bypass internet restrictions.