A multi-stage malware attack delivered via infected USB devices has been identified, raising concerns over the persistence of cryptomining threats in 2025.
Analysts from CyberProof’s Managed Detection and Response (MDR) team discovered that the campaign used DLL search order hijacking and PowerShell to bypass security controls before attempting to install a cryptominer.
The malware was linked to earlier Zephyr (XMRig) activity and was ultimately blocked during the final stage by endpoint detection and response (EDR) tools.
The attack begins with a Visual Basic script concealed on USB drives. Once executed, the script initiates a chain of processes, including xcopy.exe, to move files into the Windows System32 directory. These files then enable the side-loading of a malicious DLL designed to download the cryptominer.
CyberProof noted that the tactics closely resemble an international cryptocurrency mining scheme exposed by Azerbaijan’s CERT in October 2024, known as “Universal Mining.”
The security firm’s research traced the spread of the campaign through multiple intelligence sources and telemetry. Infections have been observed in the US, several European nations, Egypt, India, Kenya, Indonesia, Thailand, Vietnam, Malaysia and Australia.
The wide geographical footprint highlights how removable media continue to be a persistent vector for malware distribution across both developed and developing regions.
Read more on global cybercrime trends: Rethinking Resilience for the Age of AI-Driven Cybercrime
“The continued prevalence of cryptomining attacks originating from infected USB drives, even in mid-2025, serves as a powerful reminder of a fundamental security challenge,” CyberProof said.
To reduce exposure, the report advises organizations to:
-
Disable autorun and autoplay features on all systems
-
Implement device control policies to block unsigned executables from USBs
-
Harden endpoint security with EDR solutions capable of detecting obfuscated scripts
-
Protect key system processes such as lsass.exe from credential theft attempts
-
Enforce physical security measures, including restricting or locking USB ports
CyberProof concluded that organizations lacking strict USB policies remain vulnerable not only to cryptominer infections, but also to insider threats that can escalate into more damaging breaches.