Hackers Use Fake Video Player Updates to Deploy Miner and RAT Malware
Cybersecurity NewsArchived May 29, 2026✓ Full text saved
Hackers are using a clever trick to get people to install dangerous malware, and most victims have no idea it is happening. By visiting pirated movie and TV show streaming sites, users are met with a fake alert claiming their video player plugin is out of date. One click on that fake update button kicks […] The post Hackers Use Fake Video Player Updates to Deploy Miner and RAT Malware appeared first on Cyber Security News .
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security News
Hackers Use Fake Video Player Updates to Deploy Miner and RAT Malware
By Tushar Subhra Dutta
May 29, 2026
Hackers are using a clever trick to get people to install dangerous malware, and most victims have no idea it is happening. By visiting pirated movie and TV show streaming sites, users are met with a fake alert claiming their video player plugin is out of date.
One click on that fake update button kicks off an infection that quietly mines cryptocurrency while handing attackers full control of the machine.
The campaign came to light in late April 2026, when a client reached out for help after discovering a cryptocurrency miner running silently on employee computers.
Investigators traced the source back to illegal streaming platforms, where a fake plugin update prompt tricked users into downloading a malicious ZIP archive.
The archive appeared harmless, containing what looked like a standard installer alongside a hidden malicious library. Analysts at Securelist said in a report shared with Cyber Security News (CSN) that this is not a new operation.
Evidence suggests the same threat actor has been running similar campaigns since at least 2022, steadily updating the delivery method while keeping the core deception intact.
The scale of the problem is significant. The pirated websites tied to this campaign drew a combined total of 40 million visits in April 2026 alone.
The largest streaming platform pulled between 2.1 million and 27.4 million monthly visitors, while even the smallest digital library attracted around 11,000 regular users each month.
A legitimate executable and a large malicious DLL (Source – Securelist)
This campaign has also expanded beyond streaming sites into online book and movie libraries, showing the attackers are casting a wide net.
Millions of people visit these platforms every month, giving this malware an enormous reach, with users of pirated content remaining the primary targets.
Hackers Use Fake Video Player Updates
When a user visits one of the compromised sites and tries to play a video, a message appears claiming the plugin is outdated and must be updated to continue.
Clicking that prompt downloads a ZIP archive containing a legitimate-looking file called HLS Installer.874.exe alongside a large malicious DLL.
Once the executable runs, the malicious DLL is side-loaded into a legitimate system process, letting it hide under the cover of trusted software.
The library is padded with junk code to slow down analysis, but inside is a function that deliberately triggers a stack overflow to build a chain of instructions that decrypts and loads the real payload into memory.
Module’s operational stages (Source – Securelist)
The malware then transmits the victim’s system details to the attacker’s server using DNS tunneling, disguising the traffic as normal activity by mimicking Microsoft domain names.
Only after receiving a specific approval signal from the server does the malware proceed, showing that attackers carefully filter targets to avoid tripping security test environments.
A Miner, a RAT, and a Persistent Watchdog
The core payload is a modified version of an open-source cryptocurrency miner called SilentCryptoMiner. Once active, it silently uses the victim’s CPU and GPU to mine cryptocurrency without the user noticing.
A separate RAT module also runs in the background, giving attackers remote access to execute commands, run files, and push additional malware at any time.
To stay on the device, the malware registers itself as a fake Google service named GoogleUpdateTaskMachineQC, which launches automatically at every system startup.
A watchdog component running inside Windows Explorer checks every five seconds to confirm the miner is active, restoring it from an encrypted backup if anything is removed.
Security teams must terminate this watchdog inside explorer.exe before any cleanup attempt, or the miner will simply reinstall itself.
Users are advised to avoid pirated streaming and content sites, which remain the main delivery channels for this threat. Teams should watch for unusual DNS traffic, services disguised as Google updaters, and code injecting into explorer.exe or conhost.exe.
Monitoring for unexpected files in C:\ProgramData\Google\Chrome and keeping endpoint protection current are key steps for detecting this infection early.
Indicators of Compromise (IoCs):-
Type Indicator Description
URL urush1bar4[.]online Malicious archive download URL
File Hash (SHA1) 6A0FE6065D76715FEEBC1526D456DB737F624407 Malicious DLL library
File Hash (SHA256) AE489324E96A708A09C17E6F02A43B3423367B9DDDC24CC7DFC070DF Malicious DLL library
Domain 5d14vnfb[.]space RAT C2 server (April–July 2025)
Domain r7mvjl67[.]space RAT C2 server (August–November 2025)
Domain zgj1tam9[.]space RAT C2 server (December 2025)
Domain jeaw520i[.]space RAT C2 server (January–March 2026)
Domain qdmagva5[.]space RAT C2 server (April–July 2026)
IP Address 107[.]172[.]212[.]235 Miner configuration retrieval server
Domain m4yuri[.]online UnamWebPanel control panel address
Domain kristina[.]quest UnamWebPanel control panel address
File Name HLS Installer.874.exe Legitimate executable used for DLL side-loading
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Tushar Subhra Dutta
Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics.
Trending News
Hackers Use LLM Agent to Move From Marimo RCE to Internal Database in Four Pivots
Developer-Targeting Glassworm Malware Abuses npm, PyPI, OpenVSX, and GitHub
How Tier 1 Can Process Alerts 3x Faster with Threat Intelligence
PyrsistenceSniper – Tool that Detects 117 Persistence Malware Techniques on Windows, Linux, and macOS
Legitimate-Looking Codex Remote UI Steals OpenAI Codex Authentication Tokens
Latest News
Cyber Security
New ChatGPT Vulnerability Lets Attackers Turn Web Pages Into Phishing Payloads
Cyber Security News
Hackers Use Fake Adobe Document Cloud Pages to Deliver ScreenConnect Malware
Cyber Security News
Legitimate-Looking Codex Remote UI Steals OpenAI Codex Authentication Tokens
Cyber Security News
Oracle Critical Security Update – Patch for 35 New Vulnerabilities Across Products
Cyber Security News
MicrosoftSystem64 Malware Uses HuggingFace Datasets for Stealthy Data Exfiltration