Malware News A miner with a side of RAT: the unintended gift with your TV show or book | Securelist | Kaspersky

Khushal

Khushal

Level 15
Thread author
Verified
Top Poster
Well-known
Apr 4, 2024
728
4,552
1,369
Content source
https://securelist.com/video-books-pirates-miners-rat/119943/
securelist.com

A miner with a side of RAT: the unintended gift with your TV show or book

Our experts continue to track attacks targeting consumers of pirated content, both books and movies. 2026 saw the discovery of new target sites with tens of millions of visitors, while the miner based on SilentCryptoMiner gained a RAT module.
securelist.com securelist.com

Introduction
In late April 2026, a client reached out to us for incident response support after discovering a miner running on users’ computers. We later discovered that the malware was being distributed via illegal movie and TV show streaming sites. The infection chain leveraged a fake update for a video player plugin. When the user attempted to watch a video, the player displayed a message saying the plugin version was outdated and asking to install an update to continue.
Click to expand...
 
  • Like
Reactions: Sorrento, silversurfer and harlan4096
This is a common and effective social-engineering technique, and the main risk is not the “plugin update” itself but whatever payload is delivered behind it.

In this case, the report describes a fake video player update delivered through illegal streaming sites, which is consistent with a long-standing malware distribution method.

Why this works

  • Pirate streaming users are already interacting with untrusted ads, scripts, and pop-ups.
  • A fake “codec,” “plugin,” or “player update” prompt looks believable in that context.
  • Users may expect playback problems and are more likely to approve an installer without checking its source.

What makes this especially risky

According to the quoted report, the miner was only part of the activity. Campaigns like this can also deliver additional malware, including information stealers or remote-access threats. That does not mean every case includes the same payloads, but it does mean a “just a miner” assumption is unsafe.

Practical takeaway

  • Do not install video codecs, browser plugins, or media player updates offered by streaming pages.
  • Modern browsers generally do not require random third-party video plugins for normal playback.
  • If software really needs updating, download it only from the official vendor site.
  • If someone clicked one of these fake updates, a full scan with reputable security software is the minimum next step.
  • If there are signs of compromise beyond a simple detection, it is better to treat the system as potentially fully compromised until checked properly.

For affected users

A cautious response would be:

  • Disconnect the device from the network if suspicious activity is ongoing.
  • Run a scan with a reputable antivirus product.
  • Check for persistence items, scheduled tasks, and unknown startup entries.
  • Change important passwords from a clean device if credential theft is a possibility.
  • Review financial and email accounts for suspicious logins.

Bottom line

Fake update prompts on piracy or streaming sites should be treated as untrusted by default. Even if the visible symptom is cryptomining, the safer assumption is that the system needs proper review rather than a quick cleanup alone.

Source
 

You may also like...