Some Kodi Add-ons Contain Malware And Mine Cryptocurrency

A number of add-ons for the media player have apparently been infected by cryptocurrency mining malware that affects Windows and Linux users.

Security researchers at ESET provided details about a recently discovered cryptomining campaign. XvBMC, a repository on the Kodi platform, using third party add’ons Bubbles and Gaia, was to their belief, an unknowing participant in a crytomining campaign that dates back to December of last year. The malware that was found in the repository, when downloaded by a victim, installed a cryptominer on an unsuspecting victim’s device. Its architecture is described as multi-staged and ensures that its payload is difficult to track back to the malicious add on. The cryptominer utilized mines Monero and runs on both the Linux and Windows operating systems. The top five countries affected by this activity were: the United States, Israel, the United Kingdom, and Greece. The repository has since been shutdown. For full technical details we encourage our readers to review ESET’s article.

Indicators of Compromise

The below links will take you to IBM XForce page with the relevant URL details.
Example mirror of Bubbles:
Example mirror of Gaia:
Malicious files previously available on XvBMC repository:
Sampling of malicious Kodi builds:
Downloader module (Windows):
Downloader module (Linux):
Cryptominer binaries (Windows):
Cryptominer binaries (Linux):
Hashes of malicious add-ons:
Hashes of cryptominers and downloader modules (Windows):
Hashes of cryptominers and downloader modules (Linux):

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: