XMRig Malware Blocks Windows Update and Scheduled Tasks to Ensure Continuous Presence

Security researchers have identified a sophisticated resurgence of XMRig cryptomining malware following a two-year hiatus, with threat actors leveraging a multi-staged attack that systematically disables Windows Update services to maintain persistent access to infected systems.

The campaign, analyzed by Sean Cartagena, Josemaria Grana, and Andrew Go, demonstrates how cybercriminals adapt their tactics to capitalize on cryptocurrency market fluctuations while employing advanced evasion techniques.

Market-Driven Malware Resurgence

The timing of this XMRig campaign appears directly correlated with Monero’s impressive market performance in early 2025.

The cryptocurrency experienced a substantial 45% gain, climbing from $196 to $285 between January and May, with a notable spike in April coinciding with an increase in malware activity.

This surge was further amplified by a high-profile Bitcoin theft that was subsequently converted to Monero, reportedly orchestrated by a single individual in the United States.

The malware’s deployment strategy reflects the criminal maxim that “criminals go where the money flows,” with threat actors timing their operations to maximize potential returns from their cryptomining activities.

Additionally, significant optimization updates to the legitimate XMRig tool in April may have encouraged both legitimate users and malicious actors to exploit the enhanced performance capabilities.

Advanced Multi-Stage Attack Methodology

Unlike previous versions that primarily targeted Russia, Azerbaijan, and Uzbekistan, the current iteration demonstrates expanded geographical reach, now including Belgium, Greece, and China.

The attack begins with an unknown initial vector, leading to the execution of a Windows batch file named “1.cmd” through svchost.exe.

The malware employs Living Off the Land Binaries and Scripts (LOLBAS) techniques, leveraging pre-installed Windows tools, such as PowerShell, for payload delivery and execution.

Notably, the scripts contain plain text code with straightforward comments, suggesting potential creation by large language models or script kiddies, yet they prove remarkably effective with minimal antivirus detection.

Systematic Persistence Through Service Disruption

The malware’s most concerning feature is its systematic approach to maintaining persistence by disabling critical Windows Update services.

Stage 2 of the attack (S2.bat) specifically targets and stops multiple update-related processes, including Wuauserv (Windows Update Service), BITS (Background Intelligent Transfer Service), UsoSvc (Update Orchestrator Service), DoSvc (Delivery Optimization Service), WaaSMedicSvc (Windows Update Medic Service), and TrustedInstaller.

The malware creates scheduled tasks with the highest privileges, establishes registry entries for persistence, and excludes the C:\ drive from Windows Defender scanning using PowerShell’s Add-MpPreference command.

Upon successful deployment, the XMRig miner creates copies of itself in the %AppData% directory and installs the legitimate WinRing0 driver for enhanced system access.

This sophisticated approach demonstrates how modern malware combines market awareness with technical sophistication to create persistent, profitable attacks.