A malware exploiting Windows Safe mode to do cryptocurrency mining has been discovered by security researchers. 

Dubbed as Crackonosh by experts at Avast, the malware spreads by infecting computers when they use cracked and pirated software. Oftentimes, these come from forums, torrents, and warez websites.

Many Avast users on Reddit have been reporting the sudden disappearance of its antivirus software from their computer system files, the team launched an investigation into the issue and determined the loss is a result of the malware. 

The Crackonosh malware is estimated to be in circulation since June 2018. Whenever a victim launches the file believed to be a “cracked” version of a legitimate app, the malware is also installed along with it. 


Related: How to remove malware from your Android device

Upon installing the malware, a malicious script modifies the Windows registry to allow it to run in Safe mode, initiating the infection chain. On the next start-up of the infected computer system, it is set to run in Safe Mode. 

Since Windows’ Safe Mode deactivates third-party program like antivirus, the malware goes undetected.Crackonosh intelligently scans the victim’s system for various antivirus softwares, including but not limited to Avast, Norton, Bitdefender, and McAfee’s to delete or disable them. Afterwards, system log files are wiped to prevent any traces from showing up. 

The malware will also try to disable Windows updates from happening, so it puts a fake green checkmark on the Windows Security settings. To complete the infection, Crackonosh deploys XMRig — a cryptocurrency miner that uses the machine’s CPU to mine the privacy-focused Monero (XMR). 


Avast estimates over 1,000 systems are being infected everyday, with a total of 222,000+ computers hit worldwide. There’s a total of 30 Crackonosh variants detected, with latest one released back in November 2020.

So far, the malware is estimated to have made over 9,000 XMR coins, around $2 million in today’s current exchange rate.

Leave a Reply