Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years

This report documents an ongoing malicious campaign (active since at least 2022) that distributes a coinminer through fake video player plugin updates hosted on popular pirated-content sites; the delivered ZIP contains a legitimate EXE and a malicious DLL that sideloads a multi-stage payload (ROP loader → reflective PE) which deploys CPU/GPU miners, a watchdog, and a RAT with DGA-based C2 and AES/RSA-protected payloads, implements robust persistence (service installation, Defender exclusions, UAC escalation), and has been observed at scale across sites generating millions of monthly visits; IOCs and network addresses are provided.