Hidden cryptocurrency mining and theft campaign affected over 28,000 users

**Executive summary:** Doctor Web identified a large-scale malware campaign distributing AutoIt-based trojans disguised as legitimate installers and system components, which deploy a stealthy cryptominer and a clipboard-clipper via encrypted self-extracting archives (hosted on GitHub/YouTube links); the malware uses IFEO persistence, process hollowing, legitimate signed DLLs with embedded scripts, and Ncat for network access, and has affected over 28,000 victims (primarily in Russia).