KryptoCibule malware: triple threat to cryptocurrencies

Security researchers have discovered a new malware dubbed KryptoCibule that poses a triple threat to victim’s cryptocurrency resources. Attackers are using KryptoCibule to abuse victim’s resources to mine coins, hijack cryptocurrency transactions and exfiltrate cryptocurrency-related files.

The name KryptoCibule derives from the Czech and Slovak words for “crypto” and “onion” respectively.

According to ESET researchers, KryptoCibule leverages the Tor network and BitTorrent protocol for use in its communication infrastructure. As a result the malware can stay undetected and spread while stealing cryptocoins from its victims.

ESET also confirmed the malware has so far targeted users in the Czech Republic and Slovakia. Almost all the malicious torrents were available on, a popular file sharing site in the two countries.

However, there is no telling if the threat may soon spread to other countries.

“The malware, as written, employs some legitimate software. Some, such as Tor and the Transmission torrent client, are bundled with the installer; others are downloaded at runtime, including Apache httpd and the Buru SFTP server,” said ESET security researcher Matthieu Faou, who discovered KryptoCibule.

To add, KriptoCibule also checks for anti-malware products ESET, Avast and AVG. ESET is headquartered in Slovakia and the latter two products are owned by Avast, which is headquartered in the Czech Republic.

The malware also uses the BitTorrent protocol to download malware updates and other additional software.

ESET describes the KryptoCibule components and tools in Figure 1 below.

Figure 1: ESET KryptoCibule components and tools

The security experts from ESET also uncovered multiple versions of the malware, dating back to December 2018. The malware developers have regularly added new capabilities to KryptoCibule and is still under active development.

Related Articles