Tag: coinminer

12 Attack Reports | 0 Vulnerabilities

Attack reports

Q1 2026 Malware Statistics Report for Linux SSH Servers

Analysis of attacks against Linux SSH servers during Q1 2026 reveals P2PInfect worm as the dominant threat, representing 70.3% of all attack sources. DDoS botnets including Mirai, XMRig, Prometei, and CoinMiner were identified as primary threats. A notable campaign involved installing V2Ray proxy t…
xmrig
coinminer
xorddos
mirai
gafgyt
p2pinfect
tsunami
prometei
ssh brute-force
2026-04-14
chinese attribution
credential attacks
ddos botnet
honeypot analysis
linux servers
shellbot
v2ray
v2ray proxy
Published: April 14, 2026
Downloadable IOCs: 1

Q1 2026 Malware Statistics Report for Windows Database Servers

During the first quarter of 2026, Windows-based MS-SQL and MySQL database servers experienced consistent malicious attacks with a temporary decrease in February before rising again in March. The primary threat actor, Larva-26002, leveraged various utilities including BCP, curl, bitsadmin, and Power…
coinminer
credential stuffing
gh0strat
netcat
mysql
database servers
brute force
ms-sql
dictionary attack
juicypotato
shadowforce
clrshell
mykings
loveminer
2026-04-14
ice cloud
scanner
Published: April 14, 2026
Downloadable IOCs: 4

Q1 2026 malware statistics report for Windows web servers

Analysis of Windows web server attacks during Q1 2026 reveals that Internet Information Services (IIS) and Apache Tomcat servers face persistent threats through web shell exploitation. The Larva-26001 threat actor has been targeting domestic IIS servers for several years, deploying privilege escala…
coinminer
privilege escalation
badpotato
web shell
iis
apache tomcat
juicypotato
2026-04-14
CVE-2019-1458
htran
jsprat
port forwarding
porttranc
printspoofer
rdp compromise
windows web servers
Published: April 14, 2026
Linked vulnerabilities : CVE-2019-1458
Downloadable IOCs: 1

I scan, you scan, we all scan for... knowledge?

This intelligence report emphasizes the importance of understanding one's own network environment and not ignoring reconnaissance events in cybersecurity. It highlights the increasing sophistication of bad actors in reconnaissance, both in network scanning and social engineering, aided by AI tools.…
rat
coinminer
reconnaissance
network security
initial access brokers
vulnerability management
cybersecurity trends
2026-01-23
alert fatigue
Published: January 23, 2026
Downloadable IOCs: 5

XiebroC2 Identified in MS-SQL Server Attack Cases

A recent attack on a poorly managed MS-SQL server involved the use of XiebroC2, an open-source C2 framework similar to CobaltStrike. The attackers exploited vulnerable credentials, installed JuicyPotato for privilege escalation, and then deployed XiebroC2 using PowerShell. XiebroC2 supports various…
coinminer
privilege escalation
brute force
c2 framework
ms-sql
dictionary attack
juicypotato
2025-10-01
xiebroc2
Published: October 1, 2025
Downloadable IOCs: 3

Statistics Report on Malware Targeting Windows Database Servers in Q2 2025

The analysis team has categorized attacks on MS-SQL and MySQL servers installed on Windows systems during Q2 2025. While the number of targeted systems remains stable, attacks on MS-SQL servers have been decreasing. MySQL servers saw a significant spike in attacks in June 2025. The report provides …
windows
coinminer
anydesk
remcos
gh0strat
cobaltstrike
netcat
mysql
database
ms-sql
2025-08-08
juicypotato
hploader
shadowforce
server security
q2 2025
ahnlab smart defense
clrshell
mykings
attack statistics
loveminer
Published: August 8, 2025
Downloadable IOCs: 9

CoinMiner Attacks Exploiting GeoServer Vulnerability

A critical remote code execution vulnerability (CVE-2024-36401) in GeoServer has been actively exploited by threat actors to install CoinMiner malware. The attacks target both Windows and Linux environments with unpatched GeoServer installations. In South Korea, attackers exploited the vulnerabilit…
powershell
xmrig
coinminer
bash
mirai
netcat
remote code execution
condi
geoserver
monero
CVE-2024-36401
goreverse
2025-08-08
sidewalk
Published: August 8, 2025
Downloadable IOCs: 4

Compromised ultralytics PyPI package delivers crypto coinminer

A malicious version of the popular AI library ultralytics was published on PyPI, containing downloader code for the XMRig coinminer. The compromise was achieved by exploiting a known GitHub Actions script injection. Two versions, 8.3.41 and 8.3.42, were affected before a clean version 8.3.43 was re…
xmrig
coinminer
pypi
2024-12-07
ultralytics
supply-chain-attack
Published: December 7, 2024
Downloadable IOCs: 0

Binary Managed Object File (BMOF) Distributing XMRig CoinMiner

This analysis explores the use of Binary Managed Object Files (BMOFs) in distributing XMRig CoinMiner. BMOFs, compiled versions of Managed Object Files, are not inherently malicious but can be exploited due to their ability to execute scripts. The report details how threat actors utilize BMOFs with…
xmrig
coinminer
2024-09-18
bmof
Published: September 18, 2024
Linked vulnerabilities : CVE-2024-43044, CVE-2024-23897
Downloadable IOCs: 5

Warning Against the Distribution of Malware Disguised as Software Cracks

This advisory cautions about the distribution of malware masquerading as crack programs for software. The malicious actors aim to prevent the installation of V3 Lite, an anti-malware solution, by terminating its installation process. This tactic allows them to maintain persistence and continue upda…
malware
xmrig
coinminer
persistence
installer
2024-07-19
update
Published: July 19, 2024
Downloadable IOCs: 1

Analysis of CoinMiner Attacks Targeting Web Servers

The report details two separate attack cases targeting a Korean medical institution's web server, resulting in the installation of CoinMiners. The targeted server was a Windows IIS server, likely with PACS software installed. In both attacks, web shells were uploaded, and system information was col…
xmrig
coinminer
privilege escalation
earthworm
badpotato
godpotato
2024-06-24
webshell
netcat
cpolar
fscan
printnotifypotato
Published: June 24, 2024
Linked vulnerabilities : CVE-2021-1732
Downloadable IOCs: 59

Threat Actors' Systems Can Also Be Exposed and Used by Other Threat Actors

This report discusses a case where a CoinMiner threat actor's proxy server, used to access an infected botnet, became the target of a ransomware threat actor's Remote Desktop Protocol (RDP) scan attack. The ransomware threat actor successfully breached the proxy server and distributed ransomware to…
ransomware
coinminer
botnet
2024-06-06
rdp
phobos
havex
backdoor.oldrea
proxy
Published: June 6, 2024
Downloadable IOCs: 34
Click here to see more Attack Reports