New Malware Uses Windows Character Map for Cryptomining

Darktrace reports new malware hijacking Windows Character Map for cryptomining, exposing risks of hidden attacks in everyday software processes.

Cybersecurity artificial intelligence firm, Darktrace, has shared details of a sophisticated campaign that hijacks everyday Windows software to secretly mine cryptocurrency. The research was led by Cyber Analyst Keanna Grelicha and Threat Research Lead Tara Gould, and shared with Hackread.com

This type of attack is called cryptojacking, in which a device’s processing power is utilised to mine cryptocurrency for the attackers, leading to bigger electricity bills and slower performance for the victim.

According to Darktrace’s blog post, in July 2025, specifically on July 22, its security team detected and stopped an attempted cryptojacking incident on the network of a customer in the retail and e-commerce industry.

The initial threat was flagged because the device was using a new PowerShell user agent, which is a highly unusual indicator that something unexpected was happening on the network. The attack was unique and marks the first known time a specific tool, an “obfuscated AutoIt loader,” was used to deliver the malicious software known as NBMiner.

*Darktrace’s detection of a device making an HTTP connection with a new PowerShell user agent* (Source: Darktrace)

Further probing revealed that the attackers used complex scripts to download and run the NBMiner malware directly in the computer’s memory. This initial script was disguised with multiple layers of code to make it difficult to read and analyse.

The malware then injected itself into a harmless, trusted Windows process, specifically the Character Map application (charmap.exe). To avoid detection, the program was designed with several evasion measures, including checking if programs like Task Manager were open and verifying if Windows Defender was the only security software installed.

Once active, the cryptominer attempted to connect to a cryptomining pool named gulf.moneroocean.stream to begin its operations. By doing this, it could quietly escalate its privileges and stay hidden. This method makes it significantly harder to spot, as it avoids the usual red flags that security systems are trained to look for.

For your information, Windows Character Map is a built-in Windows application that allows users to view and insert special characters, symbols, and foreign language characters not found on a standard keyboard.

Unfortunately, cryptojacking remains a major threat because it can be scaled to infect many devices at once. While some may consider these attacks a minor issue, they can actually lead to data privacy problems and significant energy costs from the misuse of computing power.

In this specific case, Darktrace’s automated response system was able to quickly contain the threat by preventing the infected device from connecting to the attacker’s servers, stopping the attack in its earliest stages. This highlights the importance of having advanced security measures in place that go beyond simple detection to actively block threats.

Jason Soroko, Senior Fellow at Sectigo, a Scottsdale, Arizona-based provider of comprehensive certificate lifecycle management (CLM), commented on the latest development, insisting that organisations should “treat modern cryptojacking as an intrusion signal, not a harmless nuisance.”

He points out that these attacks can serve as cover for a broader campaign aimed at harvesting credentials and scouting the network. According to Soroko, the time it takes to detect a threat is driven by visibility into how scripts, processes, and network connections behave, not by a list of known issues alone.