Technical Analysis: Advanced DLL Side-Loading and Miner-RAT Hybrid Campaigns via Pirated Streaming Sites
Cyber adversaries are increasingly weaponizing illegal streaming ecosystems to distribute sophisticated malware, leveraging social engineering tactics centered around deceptive video player updates. This campaign targets unsuspecting users by presenting a false sense of technical necessity to facilitate initial system compromise.
The infection vector is triggered when a user attempts to stream content on a compromised site. Instead of the requested video, the browser is met with a fraudulent prompt claiming the video player plugin is outdated. This lure directs users to download a ZIP archive containing a legitimate-looking executable, HLS Installer.874.exe, paired with a malicious Dynamic Link Library (DLL) file.
Upon execution, the malware employs a DLL side-loading technique. By placing the malicious DLL in the same directory as the trusted executable, the attacker forces the legitimate process to load the rogue library into its own memory space. This allows the malware to bypass many standard security heuristics by operating under the guise of a trusted application. The DLL is heavily obfuscated with junk code to frustrate static analysis, but it contains a critical vulnerability: a stack buffer overflow designed to execute a hidden payload.
To maintain stealth during the exploitation phase, the attackers utilize a Return-Oriented Programming (ROP) chain. This method allows them to bypass non-executable memory protections by stitching together existing code snippets (gadgets) to decrypt and launch the secondary stage. Notably, the shellcode is embedded within the modified DOS header of the executable, a clever way to hide malicious instructions in plain sight within a standard file structure.
According to a report by Securelist, investigations conducted in April 2026 revealed that this widespread campaign delivers a dual-threat payload: a cryptocurrency miner and a Remote Access Trojan (RAT).
The primary module is a highly customized hybrid of the SilentCryptoMiner project and advanced RAT capabilities. Before fully initializing, the malware performs a DNS-based validation check. To evade network-level detection, it uses low-level packet crafting to spoof a domain that mimics Microsoft’s infrastructure, making the outbound request appear as legitimate telemetry or update traffic.
Privilege Escalation and System Manipulation
The malware’s behavior scales based on the user’s permission level. If the process is running with administrative privileges, the malware actively sabotages the host’s defenses. It attempts to disable Windows Defender, terminates the Microsoft Malicious Software Removal Tool, and modifies system power configurations to ensure the hardware runs at maximum capacity for mining operations.

Figure 1: DNS query analysis showing spoofed Microsoft domain (Source: Securelist).
For persistence, the malware installs itself as a service named GoogleUpdateTaskMachineQC and hides its working files within the C:\ProgramData\Google\Chrome directory, masquerading as legitimate Google components. It utilizes a multi-process architecture to maintain control:
- RAT Component: Injected into
conhost.exefor remote command execution. - Watchdog Module: Resides within
explorer.exe, constantly monitoring for the presence of its own components. - Mining Module: Deploys either CPU or GPU-based miners depending on the host’s hardware profile.
The watchdog module is particularly resilient; it uses encrypted backups stored in memory to restore any deleted or quarantined components every five seconds. Furthermore, if the initial infection lacks administrative rights, the malware will aggressively trigger multiple User Account Control (UAC) prompts, essentially “spamming” the user until elevated access is granted.
Command and Control (C2) and Evolution
The RAT component facilitates remote interaction through a sophisticated Command and Control (C2) infrastructure. Rather than using static IP addresses, it utilizes dynamically generated domains. These domains are algorithmically derived using the current system date and specific hash values, making it extremely difficult for defenders to implement static domain blocking.
All communications between the infected host and the C2 server are encrypted using AES-CBC. This allows the attacker to send commands such as executing arbitrary code, downloading additional payloads, or running direct shellcode in memory without triggering signature-based network alerts.

Figure 2: Correlation between current and historical campaign infrastructure (Source: Securelist).
This operation represents an evolution of threat actor tactics observed as far back as 2022. While earlier iterations utilized domains like file.ipfs.us.69.mu, the current infrastructure has moved to new delivery domains such as urush1bar4.online. Despite the infrastructure shifts, the core infection methodology remains remarkably stable, indicating a well-funded and professionally maintained framework.
The sheer scale of this campaign is staggering. In April 2026, the target websites received over 40 million visits. Some individual platforms reported between 11,000 and 27.4 million monthly users, providing the attackers with a massive pool of potential victims across both digital libraries and streaming services.
Current detection signatures for this threat include HEUR: Trojan.Win64.DllHijack.gen and MEM:Trojan.Win32.SEPEH.gen. This ongoing threat serves as a stark reminder of the risks inherent in pirated content ecosystems, where social engineering remains the most effective key to unlocking a system’s defenses.