Pirated streaming sites push SilentCryptoMiner via fake video player updates for years
A cybercrime gang has been distributing a cryptocurrency miner through fake video player plugin updates on pirated movie and TV show streaming sites since at least 2022, affecting sites with up to 27.4 million monthly visitors.
A long-running cybercrime campaign has been infecting users of pirated movie and TV show streaming sites with a cryptocurrency miner by tricking them into installing fake video player plugin updates. Researchers at Securelist, who detailed the operation in a report published May 28, 2026, say the threat actor has been active since at least 2022 and has continuously updated both the malware and its delivery infrastructure.
The infection chain begins when a user attempts to watch a video on a compromised site. The video player displays a message claiming the plugin version is outdated and prompts the user to install an update. Clicking the link downloads a ZIP archive containing a legitimate executable, HLS Installer.874.exe, alongside a malicious DLL. When the executable runs, the DLL is side-loaded into its process, injecting the miner and establishing persistence on the device.
The malware is a modified fork of the SilentCryptoMiner project, which has been used in other campaigns previously documented by Securelist. The current version, first observed in April 2025, has been distributed unmodified for over a year. The DLL is padded with junk data to inflate its size and impede analysis, but contains a single function that triggers a stack overflow to construct a ROP chain that decrypts the next stage. The decrypted payload reflectively loads the main module, which then communicates with command-and-control servers via DNS tunneling.
As of late April 2026, the campaign was linked to two pirated video sites in the .ru and .top TLDs. The smallest of the affected digital libraries had 11,000 monthly users, while the largest reached 4.7 million. For pirated movie and TV show streaming sites, monthly traffic ranged from 2.1 million to 27.4 million. In April, total visits to infected sites reached 40 million, underscoring the massive potential scale of the miner's distribution.
The campaign is not limited to a single platform; the malicious archive is distributed through both online digital libraries and movie and TV show streaming sites. This broadens the potential range of victims and makes attribution more difficult. The threat actor has also updated its delivery infrastructure, moving from the domain file[.]ipfs[.]us[.]69[.]mu to a new domain, urush1bar4[.]online.
Securelist notes that the current incident is a continuation of a campaign involving pirated digital libraries previously described by another cybersecurity company. The delivery mechanism has remained virtually unchanged, with the archive structure preserved: a legitimate executable paired with a large malicious DLL. A blog post by NTT Security described a similar delivery method using a fake browser crash page that simultaneously downloaded an archive named chromium-patch-nightly.
The use of pirated content sites as a distribution vector for malware is a well-established tactic, but the longevity and scale of this campaign highlight the persistent risk to users who seek free access to copyrighted material. The miner consumes system resources to generate cryptocurrency for the attackers, degrading performance and potentially damaging hardware. Users are advised to avoid pirated streaming sites and to keep software updated only through official channels.