Yep, it was too good to be true. A software tool claiming it can remove the Ethereum mining limiter on Nvidia’s RTX 3000 graphics cards is actually capable of delivering malware. 

The tool’s creator, a mysterious developer known as “Sergey,” released a beta of the “LHR Unlocker” program this morning on his GitHub page, a few days ahead of a promised Saturday launch. However, a component inside the installer can fetch an Nvidia GeForce driver file that 18 different antivirus scans will detect as malware.

The malicious nature of LHR Unlocker was noticed by a Russian data scientist named Mikhail Stepanov, who posted an antivirus scan of the driver file on Sergey’s own GitHub page. 

A virus scan of the malicious driver file.
(VirusTotal)

Stepanov, who mines cryptocurrency at his home, said he unpacked the installer and launched it on a virtual machine, but found no evidence it’ll unlock the Ethereum mining limiter on Nvidia’s RTX 3000 GPUs. Instead, the installer can fetch a malicious driver file from a server under the domain “drivers.sergeydev[.]com.” 

“This is a common Trojan,” Stepanov told PCMag in a chat on Telegram. “Most likely they wanted to build a botnet.” 

The URL to the malicious driver file is inside one of the installer’s components.

PCMag also unpacked the LHR Unlocker installer, and found that a component inside called “AI_FileDownload” does indeed lead to the domain “drivers.sergeydev[.]com” to fetch the malicious Nvidia driver file. Antivirus scans from Kaspersky, McAfee, Avast, Symantec, and Microsoft all detect it as a malicious file or as a Trojan. There is a chance the antivirus scans flagged the Nvidia driver file incorrectly. But in its current state, the beta LHR Unlocker program doesn’t work.

Meanwhile, a separate malware scan using Joe Sandbox shows the LHR Unlocker installer will also try to prevent Windows Defender from detecting it, according to Tom’s Hardware.

So far, Sergey hasn’t commented on the malware allegations. His background is unclear, but a domain lookup shows sergeydev[.]com is registered to a person in Poland named Sergey Bronovsky. 

The tool was released as…