Cybersecurity firm SOC Prime has issued a fresh alert about a USB-driven malware campaign based around DIRTYBULK, warning that the threat is powering illicit cryptocurrency-mining operations and posing serious risks to enterprises that rely on removable media.
According to the report, the attack begins when a user inserts an infected USB device and executes a malicious shortcut file. That triggers a multi-stage infection chain: first a fake DLL named printui.dll is side-loaded from a deceptive System32 folder; then a dropper called CUTFAIL, followed by downloader HIGHREPS and backdoor PUMPBENCH. PUMPBENCH connects to a remote server to fetch additional payloads before deploying open-source crypto-mining software (typically XMRig) on the victim’s system.
Researchers traced a number of worrying tactics used by the campaign. The malware uses Windows Defender exclusions, random-named scheduled tasks and rogue services to maintain persistence. It is also capable of side-loading authentic-looking system DLLs, abusing standard Windows service groups, and evading typical antivirus protections.
To defend against DIRTYBULK and associated threats, SOC Prime recommends organisations block execution of shortcut files from USB drives, monitor for suspicious printui.dll activity, and flag new scheduled tasks or services with random six-digit names. They also advise enforcing network controls to block known malicious command-and-control domains and DoH (DNS-over-HTTPS) resolvers commonly used in these campaigns.