Cybersecurity experts at ESET published an in-depth study about a new malware named “KryptoCibule.” This exploit specifically targets Windows users with three methods of attack, including by installing a crypto mining app, directly stealing crypto wallet files, and replacing copy/pasted wallet addresses as a means to hijack individual transactions.

According to the cybersecurity firm, KryptoCibule’s developers rely on the Tor network and BitTorrent protocol to coordinate the attacks.

The malware’s original incarnation first appeared in December 2018. At that time, it was merely a Monero mining utility that quietly harvested user’s system resources to generate the currency. By February 2019, KryptoCibule had evolved to include ways to exfiltrate crypto wallet files from victim machines. Since then, the malware has added a third dimension to its attack base with the inclusion of kawpowminer — an application that mines Ethereum (ETH).

ESET telemetry revealed that victims have been actively downloading infected torrent files which contain KryptoCibule via a file-sharing site named Uloz. Most appear to be located in the Czech Republic and Slovakia.

The researchers noted that, despite its age, the malware “doesn’t seem to have attracted much attention until now”:

“Presumably the malware operators were able to earn more money by stealing wallets and mining cryptocurrencies than what we found in the wallets used by the clipboard hijacking component. The revenue generated by that component alone does not seem enough to justify the development effort observed.”

Cybersecurity firm Symantec noted in August that Blockchain assets began surging in price following the March crash, claiming that this triggered a new wave of cryptojacking attacks.