Cybersecurity firm Trend Micro has detected a major uptick in monero (XMR) cryptojacking malware targeting China-based systems this spring. The news was revealed in an official Trend Micro announcement on June 5.

As previously reported, cryptojacking is an industry term for stealth crypto mining attacks that work by installing malware that uses a computer’s processing power to mine for cryptocurrencies without the owner’s consent or knowledge.

The XMR-focused malware — which wields malicious PowerShell scripts for illicit mining activities on Microsoft-based systems — reportedly surged against Chinese targets in mid-May. Hitting a peak on May 22, the wave of cryptojacking attacks has since ostensibly steadied, according to Trend Micro. China accounted for 92% of the firm’s detections of the new strain.

In an analysis of the attacks, the cybersecurity firm identified that this latest campaign resembles a previous wave of activities that used an obfuscated PowerShell script (dubbed “PCASTLE”) to deliver XMR-mining malware. The earlier campaign, by contrast, targeted a host of different countries — notably Japan, Australia, Taiwan, Vietnam, Hong Kong and India.

Trend Micro’s report describes in detail how the malware’s infection chain functions, and notes that while the campaign is focused on one geographic area, it seems to be indiscriminate in terms of industry. Trend Micro also notes that alongside their cross-industry target field, the attackers’:

“Use of XMRig as their payload’s miner module is [...] not surprising. Algorithms for Monero mining are not as resource-intensive compared to other miners, and don’t require a lot of processing power. This means they can illicitly mine the cryptocurrency without alerting users unless they notice certain red flags like performance issues.”

In its conclusion, Trend Micro notes that even while the motivations behind the attackers’ focus on China remain unclear, the campaign demonstrates that fileless malware techniques represent a persistent threat — one of the most prevalent in the current landscape, according to the firm.

As reported earlier this month, Trend Micro also detected a malware dubbed BlackSquid that infects web servers by employing eight different security exploits and installs XMRig monero Central Processing Unit-based mining software.