Tag: cryptojacking

8 Attack Reports | 0 Vulnerabilities

Attack reports

ShadowRay 2.0: Active Global Campaign Hijacks Ray AI Infrastructure Into Self-Propagating Botnet

A global hacking campaign dubbed ShadowRay 2.0 has been discovered, exploiting a vulnerability in the Ray AI framework to seize control of computing clusters and create a self-replicating botnet. The attackers use GitLab and GitHub for payload delivery, leveraging AI-generated code to adapt their m…
xmrig
ddos
botnet
cryptojacking
data exfiltration
self-propagation
devops
2025-11-19
CVE-2023-48022
ai infrastructure
sockstress
ray framework
Published: November 19, 2025
Downloadable IOCs: 0

CryptoJacking is dead: long live CryptoJacking

The article discusses the evolution of cryptojacking, from its rise with Coinhive in 2017 to its apparent decline and subsequent resurgence in a more sophisticated form. A new campaign was discovered involving over 3,500 infected websites, using stealthy techniques to mine cryptocurrency without de…
obfuscation
cryptojacking
monero
2025-08-20
webassembly
stealth mining
web workers
websockets
Published: August 20, 2025
Downloadable IOCs: 6

Android Cryptojacker Masquerades as Banking App to Mine Cryptocurrency on Locked Devices

A new Android malware campaign has been discovered, disguising itself as a banking app to covertly mine cryptocurrency on locked devices. The malware, distributed through a phishing website impersonating Axis Bank, downloads and executes a modified version of XMRig, a popular cryptocurrency mining …
phishing
android
xmrig
banking
cryptojacking
monero
2025-07-18
device-lock
battery-drain
overheating
android.dminer.a
Published: July 18, 2025
Downloadable IOCs: 1

Mining in Plain Sight: The VS Code Extension Cryptojacking Campaign

A sophisticated cryptomining campaign has been discovered targeting developers through seemingly legitimate VS Code extensions. The campaign, potentially reaching over one million installations, involves fake extensions published by three different authors. These extensions secretly download a Powe…
xmrig
cryptojacking
2025-04-08
developer tools
Published: April 8, 2025
Downloadable IOCs: 11

Exploitation in the Wild of Aviatrix Controller RCE (CVE-2024-50603)

A critical code execution vulnerability, CVE-2024-50603, affecting Aviatrix Controller has been observed being exploited in the wild. This unauthenticated remote code execution flaw allows attackers to execute arbitrary commands on the system, potentially leading to privilege escalation in AWS envi…
backdoor
xmrig
sliver
cloud security
cryptojacking
privilege escalation
aws
rce
CVE-2024-50603
2025-01-13
aviatrix controller
Published: January 13, 2025
Linked vulnerabilities : CVE-2024-50603 (CVSS 10.0), CVE-2025-0282 (CVSS 9.0), CVE-2025-0283 (CVSS 7.0), CVE-2021-40870
Downloadable IOCs: 6

Threat Actors leverage Docker Swarm and Kubernetes to mine cryptocurrency at scale

A new cryptojacking campaign targeting Docker Engine API has been discovered, with the ability to move laterally to Docker Swarm, Kubernetes, and SSH servers. The attackers exploit exposed Docker API endpoints to deploy cryptocurrency miners and additional malicious payloads. They utilize Docker Hu…
xmrig
kubernetes
cryptojacking
docker
2024-09-25
container security
docker swarm
Published: September 25, 2024
Downloadable IOCs: 41

DERO cryptojacking adopts new techniques to evade detection

This report examines the threat actors behind a 2023 cryptojacking campaign targeting misconfigured Kubernetes clusters, focusing on their evolving techniques to avoid detection. It analyzes the malicious Docker images they deployed, the hardcoded wallet and pool information in the DERO miner binar…
cloud
kubernetes
cryptojacking
2024-06-14
dero miner
Published: June 14, 2024
Downloadable IOCs: 18

Commando Cat: A Novel Cryptojacking Attack Abusing Docker Remote API Servers

This report details a cryptojacking campaign exploiting exposed Docker remote API servers. Threat actors employ the cmd.cat/chattr Docker image for initial access, utilizing techniques like chroot and volume binding to break out of the container and access host systems. They deploy cryptocurrency m…
malware
cryptocurrency
cloud
2024-06-07
cryptojacking
docker
containers
ziggystartux
Published: June 7, 2024
Downloadable IOCs: 7
Click here to see more Attack Reports