Tag: cryptomining

26 Attack Reports | 0 Vulnerabilities

Attack reports

From Scripts to Systems: A Comprehensive Look at Tangerine Turkey Operations

Tangerine Turkey is a cryptomining campaign that uses VBScript worms to spread via USB drives, leveraging living-off-the-land binaries for execution and persistence. The group employs defense evasion techniques by modifying registry keys and masquerading malicious binaries as legitimate system file…
xmrig
worm
usb
persistence
cryptomining
vbscript
living-off-the-land
2025-10-29
defense-evasion
Published: October 29, 2025
Downloadable IOCs: 3

SVG Phishing hits Ukraine with Amatera Stealer, PureMiner

A phishing campaign targeting Ukrainian government entities uses malicious SVG files to initiate an infection chain. The attack begins with emails containing SVG attachments that redirect victims to a download site. A CHM file is then used to execute a remote HTA loader, which delivers two malware …
phishing
data theft
ukraine
cryptomining
fileless
chm
svg
amatera stealer
pureminer
countloader
2025-09-26
hta loader
Published: September 26, 2025
Downloadable IOCs: 0

Botnet Loader-as-a-Service Infrastructure Distributing RondoDoX and Mirai Payloads

A sophisticated botnet operation employing a Loader-as-a-Service model was uncovered through exposed command and control logs spanning six months. The campaign systematically targets SOHO routers, IoT devices, and enterprise applications through command injection vulnerabilities in web interfaces. …
command injection
iot
botnet
mirai
cryptomining
soho routers
rondodox
2025-09-25
morte
CVE-2012-1823
CVE-2019-17574
CVE-2019-16759
loader-as-a-service
Published: September 25, 2025
Linked vulnerabilities : CVE-2019-17574, CVE-2019-16759, CVE-2012-1823
Downloadable IOCs: 341

Exposed JDWP Exploited in the Wild: What Happens When Debug Ports Are Left Open

A routine monitoring by researchers uncovered an exploitation attempt on a honeypot server running TeamCity, a CI/CD tool. The attack exploited an exposed Java Debug Wire Protocol (JDWP) interface, leading to remote code execution, deployment of cryptomining payload, and establishment of multiple p…
xmrig
persistence
java
cryptomining
remote code execution
2025-08-08
teamcity
jdwp
debugging
Published: August 8, 2025
Downloadable IOCs: 17

AI-Generated Malware in Panda Image Hides Persistent Linux Threat

A sophisticated Linux malware campaign called Koske has been discovered, showing signs of AI-assisted development. The threat exploits misconfigured servers to install backdoors and download weaponized JPEG images containing malicious payloads. The malware uses polyglot file abuse to hide shellcode…
linux
rootkit
cryptomining
ai-generated
2025-07-24
koske
polyglot-abuse
Published: July 24, 2025
Downloadable IOCs: 2

Multiplatform Cryptomining Campaign Uses Fake Error Pages to Hide Payload

A new iteration of a broad cryptomining campaign, dubbed Soco404, has been identified. The attackers exploit vulnerabilities in cloud environments, particularly targeting PostgreSQL misconfigurations, to deploy cryptominers on both Linux and Windows systems. They use process masquerading, achieve p…
persistence
cryptomining
CVE-2025-24813
compromised-servers
2025-07-24
process-masquerading
multiplatform
fake-404-pages
postgresql
crypto-scam
soco404
Published: July 24, 2025
Downloadable IOCs: 0

The Linuxsys Cryptominer

A long-running cryptomining campaign exploiting multiple vulnerabilities has been active since 2021, using consistent attack methodologies. The attacker compromises legitimate websites to distribute malware, enabling stealthy delivery and detection evasion. The campaign targets various vulnerabilit…
xmrig
cryptomining
compromised websites
2025-07-18
linuxsys
Published: July 18, 2025
Downloadable IOCs: 0

Digging Gold with a Spoon – Resurgence of Monero-mining Malware

A resurgence of malware deploying XMRig cryptominer was discovered in mid-April 2025, coinciding with a rally in Monero cryptocurrency value. The malware uses a multi-staged approach and LOLBAS techniques, leveraging Windows tools like PowerShell for payload delivery, detection evasion, and persist…
powershell
xmrig
persistence
cryptomining
monero
lolbas
windows defender evasion
2025-07-07
Published: July 7, 2025
Downloadable IOCs: 4

The Sharp Taste of Mimo'lette: Analyzing Mimo's Latest Campaign targeting Craft CMS

Between February and May, multiple exploitations of CVE-2025-32432, a Remote Code Execution vulnerability in Craft CMS, were observed. The attack chain involves deploying a webshell, downloading an infection script, and executing malicious payloads including a loader, crypto miner, and residential …
xmrig
cryptomining
webshell
residential proxy
CVE-2025-32432
2025-05-27
minus ransomware
iproyal
craft cms
Published: May 27, 2025
Linked vulnerabilities : CVE-2024-46483 (CVSS 9.8), CVE-2025-32432 (CVSS 10.0)
Downloadable IOCs: 8

Stopping Sobolan Malware with Aqua Runtime Protection

A new attack campaign targeting interactive computing environments like Jupyter Notebooks has been discovered. The attack involves downloading a compressed file from a remote server, which, when executed, deploys multiple malicious tools to exploit the server and establish persistence. The campaign…
evasion
persistence
cryptomining
cloud-native
2025-03-12
runtime protection
sobolan
jupyter notebooks
Published: March 12, 2025
Downloadable IOCs: 9

Infostealer Campaign against ISPs

A campaign targeting ISP infrastructure providers on the West Coast of the United States and China has been identified. Originating from Eastern Europe, the attackers use simple tools to abuse victims' computer processing power for cryptomining and credential theft. The initial access is gained thr…
infostealer
persistence
cryptomining
brute force
2025-03-11
scripting
Published: March 11, 2025
Downloadable IOCs: 0

StaryDobry campaign targets gamers with XMRig miner

A cybercriminal campaign launched on December 31 exploited reduced vigilance during the holiday season by distributing trojanized versions of popular games via torrent sites. The attack, which lasted a month, affected users worldwide by spreading the XMRig cryptominer. The sophisticated infection c…
xmrig
cryptomining
defense evasion
gaming
multi-stage
2025-02-18
torrents
resource spoofing
Published: February 18, 2025
Downloadable IOCs: 15

Examining Redtail: Analyzing a Sophisticated Cryptomining Malware and its Advanced Tactics

This analysis focuses on redtail, a cryptocurrency mining malware that stealthily installs itself on compromised systems. The malware utilizes two additional scripts: one to identify the CPU architecture and another to remove existing cryptomining software. Observed attacks originated from IP addre…
cryptomining
redtail
2025-01-09
c3pool_miner
Published: January 9, 2025
Linked vulnerabilities : CVE-2024-3400
Downloadable IOCs: 12

PacketCrypt Classic Cryptocurrency Miner on PHP Servers

A cryptocurrency mining campaign targeting vulnerable PHP servers has been identified. The attack exploits misconfigured or unpatched servers, allowing unauthorized access to php-cgi.exe. The malware, initially delivered as dr0p.exe, downloads a secondary payload pkt1.exe, which then spawns packetc…
cryptomining
CVE-2024-4577
php
2025-01-07
packetcrypt
stake-to-earn
Published: January 7, 2025
Downloadable IOCs: 6

Unpacking the Diicot Malware Targeting Linux Environments

A new malware campaign attributed to the Romanian-speaking Diicot threat group has been discovered targeting Linux systems. The campaign shows significant advancements compared to previous iterations, including modified UPX headers with corrupted checksums, advanced payload staging, and environment…
malware
linux
openssh
xmrig
persistence
cryptomining
brute-force
2024-12-17
reverse-shell
upx
Published: December 17, 2024
Downloadable IOCs: 36

Attacker Abuses Victim Resources to Reap Rewards from Titan Network

An attacker exploited the Atlassian Confluence vulnerability CVE-2023-22527 to achieve remote code execution for cryptomining via the Titan Network. The malicious actor gathered system details using public IP lookup services and various commands. Multiple shell scripts were downloaded and executed …
cryptomining
aws
ssh
remote code execution
CVE-2023-22527
atlassian confluence
2024-11-04
titan network
cassini testnet
aleo-pool
Published: November 4, 2024
Linked vulnerabilities : CVE-2023-22527
Downloadable IOCs: 1

Docker Gatling Gun Campaign

Recent research has uncovered a new malicious campaign orchestrated by the notorious hacking group TeamTNT. This campaign exploits exposed Docker daemons to deploy Sliver malware, a cyber worm, and cryptominers, utilizing compromised servers and Docker Hub as infrastructure for spreading their mali…
campaign
sliver
malicious
cryptomining
docker
tsunami
2024-10-26
exposed-daemons
cloud-native
container-security
docker-swarm
docker-hub
2024-10-29
prochider
Published: October 29, 2024
Downloadable IOCs: 11

Using gRPC and HTTP/2 for Cryptominer Deployment: An Unconventional Approach

A malicious actor has been observed targeting Docker remote API servers to deploy the SRBMiner cryptominer for mining XRP cryptocurrency. The attacker utilizes the gRPC protocol over h2c (clear text HTTP/2 protocol) to evade security measures and execute cryptomining operations on Docker hosts. The…
cryptomining
docker
container security
2024-10-22
http/2
xrp
grpc
remote api
srbminer
Published: October 22, 2024
Downloadable IOCs: 2

LemonDuck Unleashes Cryptomining Attacks Through SMB Service Exploits

This report details the tactics and techniques employed by the LemonDuck cryptomining malware, which exploits the SMB service by leveraging the EternalBlue vulnerability (CVE-2017-0144). After gaining initial access through brute-force attacks, the malware creates malicious files, disables security…
persistence
malicious scripts
credential theft
cryptomining
CVE-2017-0144
lemonduck
2024-10-14
network manipulation
Published: October 14, 2024
Linked vulnerabilities : CVE-2017-0144, CVE-2023-46865
Downloadable IOCs: 8

LemonDuck Malware Exploiting SMB Vulnerabilities

LemonDuck malware has evolved into a versatile threat, targeting both Windows and Linux systems. It exploits SMB vulnerabilities, particularly EternalBlue, to gain network access. The malware uses brute-force attacks, creates hidden administrative shares, and executes malicious actions via batch fi…
cryptomining
CVE-2017-0144
2024-10-09
lemonduck
eternalblue
smb
Published: October 9, 2024
Linked vulnerabilities : CVE-2017-0144
Downloadable IOCs: 5

SIEM agent being used in SilentCryptoMiner attacks

A global malware campaign targeting mainly Russian-speaking users has been distributing cryptocurrency mining malware through fake software download sites, Telegram channels, and YouTube videos. The multi-stage infection chain uses unusual techniques for persistence and evasion, including hiding ma…
seo poisoning
persistence
autoit
cryptomining
defense evasion
2024-10-07
silentcryptominer
siem
Published: October 7, 2024
Downloadable IOCs: 8

perfctl: A Stealthy Malware Targeting Millions of Linux Servers

A sophisticated Linux malware named 'perfctl' has been actively targeting millions of servers worldwide for the past 3-4 years. It exploits over 20,000 types of misconfigurations to compromise Linux systems. The malware employs advanced evasion techniques, including rootkits, process masquerading, …
linux
rootkit
evasion
privilege-escalation
persistence
cryptomining
CVE-2023-33246
2024-10-04
tor
CVE-2021-4043
proxy-jacking
perfctl
Published: October 4, 2024
Linked vulnerabilities : CVE-2023-33246, CVE-2021-4034, CVE-2021-4043
Downloadable IOCs: 9

Hadooken and K4Spreader: The 8220 Gang's Latest Arsenal

This analysis uncovers a significant infection chain targeting Windows and Linux systems through Oracle WebLogic vulnerabilities. The attackers, likely the 8220 Gang, exploit CVE-2017-10271 and CVE-2020-14883 to deploy malware including K4Spreader, Tsunami backdoor, and cryptominers. The infection …
china
botnet
cryptomining
brazil
pwnrig
tsunami
k4spreader
weblogic
hadooken
2024-10-01
CVE-2017-10271
CVE-2020-14883
Published: October 1, 2024
Linked vulnerabilities : CVE-2023-46604, CVE-2020-14883, CVE-2017-10271
Downloadable IOCs: 62

From Automation to Exploitation: The Growing Misuse of Selenium Grid for Cryptomining and Proxyjacking

Two campaigns targeting Selenium Grid, a popular web testing tool, have been identified. The attacks exploit misconfigured instances lacking authentication to deploy cryptominers and proxyjacking tools. The first campaign injects a base64 encoded Python script to download and execute a reverse shel…
cryptomining
vulnerability exploitation
2024-09-17
tor
proxyjacking
perfcc
iproyal pawns
gsocket
traffmonetizer
selenium grid
Published: September 17, 2024
Linked vulnerabilities : CVE-2021-4043
Downloadable IOCs: 18

Cryptomining Campaign Exploiting Grid Services

Wiz researchers discovered an ongoing threat campaign, dubbed 'SeleniumGreed', that exploits exposed Selenium Grid services for cryptomining. The campaign targets publicly accessible instances of Selenium Grid, an integral component of the widely used Selenium testing framework. By leveraging featu…
xmrig
cryptomining
threat
2024-07-30
webdriver
grid
selenium
Published: July 30, 2024
Downloadable IOCs: 14

Unveiling a Crypto Mining Operation

This report uncovers a sophisticated intrusion campaign involving several malicious modules designed to disable security solutions and execute a persistent crypto-miner. The primary payload, dubbed GHOSTENGINE, leverages vulnerable drivers to terminate and delete known endpoint detection and respon…
xmrig
2024-05-22
cryptomining
ghostengine
Published: May 22, 2024
Downloadable IOCs: 17
Click here to see more Attack Reports