███████╗██╗ ██╗██╗██╗ ███╗ ███╗██╗ ██╗████████╗███████╗██╗ ██╗ ██╔════╝██║ ██║██║██║ ████╗ ████║██║ ██║╚══██╔══╝██╔════╝╚██╗██╔╝ █████╗ ██║ ██║██║██║ ██╔████╔██║██║ ██║ ██║ █████╗ ╚███╔╝ ██╔══╝ ╚██╗ ██╔╝██║██║ ██║╚██╔╝██║██║ ██║ ██║ ██╔══╝ ██╔██╗ ███████╗ ╚████╔╝ ██║███████╗ ██║ ╚═╝ ██║╚██████╔╝ ██║ ███████╗██╔╝ ██╗ ╚══════╝ ╚═══╝ ╚═╝╚══════╝ ╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚══════╝╚═╝ ╚═╝

⚠

StaryDobry

loader1 mutex signatures

[BASIC_INFORMATION]

FAMILY_NAME:

StaryDobry

CATEGORY:

LOADER

DESCRIPTION:

StaryDobry is a sophisticated multi-stage loader malware that spreads through trojanized game installers on torrent sites. It uses a complex infection chain involving DLL side-loading, AES encryption, and process injection to deploy XMRig cryptocurrency miners. The malware targets gaming computers with sufficient processing power for continuous mining operations and employs DNS over HTTPS (DoH) to hide C&C communications.

ALIASES:

Stary Dobry

TAGS:

loadercryptominerdll_side_loadingtorrent_spreadprocess_injectionaes_encryption

[MUTEX_SIGNATURES](1)

[MUTEX_01]

com_curruser_mttx

ANALYST: @adhikara13 DATE: 2025-07-30

REFERENCES:

https://securelist.ru/starydobry-campaign-spreads-xmrig-miner-via-torrents/111841/

[QUICK_ACTIONS]

[THREAT_INTELLIGENCE]

ATTRIBUTION:

⚠Unknown

FIRST_OBSERVED:

2024-09

[SIGMA_RULE]

[STATISTICS]

MUTEX_COUNT:1

THREAT_ACTORS:1

ALIASES:1

TAGS:6

CATEGORY:LOADER

Malware profile loaded successfully