When you program cryptocurrency-mining malware, you need to infect a large number of computers to get results. What do you name the executable file so that a lot of people click without thinking twice? The one from the movie More box office the last few years seems like a safe bet.

The cybersecurity firm ReasonLabs has found Monero-mining malware in a torrent file from a Russian website. The torrent impersonates the movie Spider-Man: No Way Home, but it contains a program that mines the cryptocurrency in the background, adding exceptions in Windows Defender and generating persistence with various processes.

The program analyzed by ReasonLabs is called spiderman_net_putidomoi.torrent.exe (spiderman_no_wayhome.torrent.exe in Russian). Although an advanced user would have detected that it is an executable file, and not a video file, a less skilled user could have opened it, eager to see the Marvel movie.

Once opened, the program tries to go unnoticed by creating files and processes with apparently legitimate names. The program has the ability to start a process and inject its integrated resources into another process. It claims to be from Google and creates executables with names like sihost64.exe, injecting them into svchost.exe.

It’s actually a version of a cryptocurrency mining program called SilentXMRMiner, the source code of which can be downloaded for free from GitHub. Its creators even offer a graphical interface to configure it. The attacker only had to adapt the program with his Monero information and distribute it.

Since the malware adds general exceptions to Microsoft Defender (ignoring all folders under the user’s profile and all files with .exe and .dll extensions), many victims will not be aware that their computer is mining cryptocurrency in the background for the attacker.

In this case, knowing the file extensions would have been enough to suspect the torrent. A video file usually ends in .mp4 or .mkv, not .exe. (If you have the extensions hidden in Windows Explorer, you can reveal them by clicking View> Filename Extensions.)

Cryptocurrency mining malware like this does not steal personal information, but it can be CPU intensive, which it does your computer slows down and your electricity consumption skyrockets.