The Microsoft Defender ATP research team shares insights on a new cryptocurrency-stealing malware variant that has infected close to 80,000 computers.

On Nov. 26, Microsoft security analysts revealed that the malware, called Dexphot, had already infected close to 80,000 devices since October 2018, reaching its peak in the month of June of this year.

The malicious code reportedly hijacks legitimate system processes to disguise its nefarious activity, with the ultimate goal of running a cryptocurrency miner on the infected device. When infected users attempt to remove the malware, monitoring services and scheduled tasks will trigger re-infection. The report reads:

“Dexphot is not the type of attack that generates mainstream media attention; it’s one of the countless malware campaigns that are active at any given time. Its goal is a very common one in cybercriminal circles — to install a coin miner that silently steals computer resources and generates revenue for the attackers.”

The Dexphot malware is similar in many ways to the recently discovered malicious code in WAV audio files. This type of malware campaign allows hackers to deploy CPU miners onto the victim’s device, stealing processing resources and generating thousands of dollars a month from mining cryptocurrency.

These kinds of malware payloads are increasingly popular among hackers as they provide financial benefit while operating in the background without the user’s knowledge — an attack commonly called cryptojacking.

Malware steals Bitcoin from darknet users

In October, major antivirus software supplier ESET discovered a trojanized Tor Browser designed to steal Bitcoin (BTC) from buyers on the darknet. The fake Tor Browser was targeting users in Russia, where since 2017 it has been stealing cryptocurrencies from darknet shoppers by swapping their entered crypto addresses.