Tag: xmrig

55 Attack Reports | 0 Vulnerabilities

Attack reports

A miner with a side of RAT: the unintended gift with your TV show or book

A cybercrime campaign active since at least 2022 has been distributing cryptocurrency miners and RAT malware through illegal streaming sites and digital libraries. Victims are tricked via fake video player plugin updates or browser crash pages into downloading ZIP archives containing legitimate exe…
xmrig
dns tunneling
dll side-loading
silentcryptominer
domain generation algorithm
fake updates
cryptocurrency miner
2026-05-28
piracy sites
Published: May 28, 2026
Downloadable IOCs: 0

Middle East Malicious Infrastructure Report: 1,350+ C2 Servers Mapped Across 98 Providers

Between February and May 2026, over 1,350 active command-and-control servers were identified across 98 infrastructure providers spanning 14 Middle Eastern countries. Saudi Arabia's STC hosted 981 C2 servers, representing 72.4% of all regional malicious infrastructure, the largest concentration glob…
xmrig
cobalt strike
asyncrat
mirai
phorpiex
lockbit black
sliver
telecommunications
netsupport rat
gophish
c2 infrastructure
mozi
middle east
termite
twizt
bulletproof hosting
rondodox
keitaro
CVE-2025-11953
dynowiper
tactical rmm
2026-05-21
acunetix
aquilarat
echogather
espionage campaigns
hajime
hellsuchecker
iot botnets
maas platforms
offensive frameworks
phexia
prism x
soullessrat
Published: May 21, 2026
Linked vulnerabilities : CVE-2025-11953 (CVSS 9.8)
Downloadable IOCs: 5

Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities

Cisco Talos tracks active exploitation of CVE-2026-20182, an authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Manager, allowing remote attackers to obtain administrative privileges. The exploitation is attributed to UAT-8616, a sophisticated threat actor previously involv…
xmrig
credential theft
sliver
godzilla
behinder
webshells
gsocket
cryptocurrency mining
authentication bypass
cisco
adaptixc2
CVE-2026-20122
CVE-2026-20127
CVE-2026-20128
CVE-2026-20133
2026-05-14
CVE-2026-20182
kscan
nimplant
sd-wan
xenshell
Published: May 14, 2026
Linked vulnerabilities : CVE-2025-20333 (CVSS 9.9), CVE-2025-20362 (CVSS 6.5), CVE-2026-20122 (CVSS 5.4), CVE-2026-20127 (CVSS 10.0), CVE-2026-20128 (CVSS 7.5), CVE-2026-20133 (CVSS 6.5), CVE-2026-20182 (CVSS 10.0)
Downloadable IOCs: 24

Untangling a Linux Incident With an OpenAI Twist (Part 2)

A Linux endpoint was simultaneously compromised by at least two distinct threat actors while the developer user relied on OpenAI's Codex AI agent for security remediation. Actor A deployed a cryptominer mining Monero to a private pool. Actor B installed a multi-revenue botnet including XMRig mining…
xmrig
botnet
cryptominer
credential harvesting
data exfiltration
CVE-2025-55182
react2shell
linux compromise
2026-04-22
ai-assisted remediation
dnser
earnfm
fh8a7d7m
fkkkf
multiple threat actors
repocket
systemd-logind
Published: April 22, 2026
Linked vulnerabilities : CVE-2025-30406, CVE-2025-55182 (CVSS 10.0), CVE-2025-31151
Downloadable IOCs: 3

Q1 2026 Malware Statistics Report for Linux SSH Servers

Analysis of attacks against Linux SSH servers during Q1 2026 reveals P2PInfect worm as the dominant threat, representing 70.3% of all attack sources. DDoS botnets including Mirai, XMRig, Prometei, and CoinMiner were identified as primary threats. A notable campaign involved installing V2Ray proxy t…
xmrig
coinminer
xorddos
mirai
gafgyt
p2pinfect
tsunami
prometei
ssh brute-force
2026-04-14
chinese attribution
credential attacks
ddos botnet
honeypot analysis
linux servers
shellbot
v2ray
v2ray proxy
Published: April 14, 2026
Downloadable IOCs: 1

RondoDox Botnet: From Zero to 174 Exploited Vulnerabilities

The RondoDox botnet has emerged as a significant threat, exploiting 174 different vulnerabilities since May 2025. It primarily targets IoT devices and internet-exposed services for DoS attacks. The botnet's infrastructure includes exploiting and hosting components, with evidence suggesting the use …
xmrig
ddos
iot
botnet
vulnerability exploitation
rondodox
2026-03-11
Published: March 11, 2026
Linked vulnerabilities : CVE-2025-24016 (CVSS 9.9), CVE-2025-24893 (CVSS 9.8), CVE-2023-46604, CVE-2025-32756, CVE-2025-48827 (CVSS 10.0), CVE-2025-20281 (CVSS 9.8), CVE-2025-57296 (CVSS 6.5), CVE-2025-62593 (CVSS 9.4), CVE-2025-55182 (CVSS 10.0), CVE-2025-37164 (CVSS 10.0), CVE-2025-47812, CVE-2025-52089
Downloadable IOCs: 29

Cryptojacking Campaign Exploits Driver to Boost Monero Mining

A sophisticated cryptojacking campaign has been discovered, spreading through pirated software installers. The operation utilizes a customized XMRig miner and a controller component for long-term system access. Unlike browser-based schemes, this campaign deploys system-level malware using deceptive…
xmrig
persistence
cryptojacking
stealth
driver vulnerability
2026-02-18
CVE-2020-14979
kernel exploit
monero mining
pirated software
Published: February 18, 2026
Linked vulnerabilities : CVE-2020-14979
Downloadable IOCs: 1

AI/LLM-Generated Malware Used to Exploit React2Shell

Darktrace identified an AI-generated malware sample exploiting the React2Shell vulnerability in its honeypot environment. The incident demonstrates how LLM-assisted development enables low-skill attackers to rapidly create effective exploitation tools. The attack chain involved spawning a container…
xmrig
llm
crypto mining
CVE-2025-55182
react2shell
2026-02-10
ai-generated malware
Published: February 10, 2026
Linked vulnerabilities : CVE-2025-55182 (CVSS 10.0)
Downloadable IOCs: 3

Exposed BYOB C2 Infrastructure Reveals a Multi-Stage Malware Deployment

An exposed open directory on a command and control server revealed a complete deployment of the BYOB (Build Your Own Botnet) framework. The multi-stage infection chain targets Windows, Linux, and macOS platforms, implementing seven persistence mechanisms. The malware includes extensive post-exploit…
xmrig
persistence
cryptomining
keylogging
cross-platform
post-exploitation
multi-stage
2026-01-29
byob
infrastructure-reuse
packet-capture
Published: January 29, 2026
Downloadable IOCs: 4

Weekly Threat Bulletin – January 28th, 2026

This weekly threat bulletin highlights several critical vulnerabilities and emerging threats. A severe RCE vulnerability in React Server Components and Next.js (CVE-2025-55182) is being actively exploited. CISA added four critical flaws to its 'Must-Patch' list, including vulnerabilities in Versa C…
ransomware
xmrig
cobalt strike
macos
mirai
sliver
gafgyt
qilin
cisa
interlock
rce
lizkebab
bashlite
aisuru
clop
vshell
next.js
CVE-2025-31125
CVE-2025-34026
pulsepack
rondodox
CVE-2025-54313
beacon
morte
CVE-2025-61882
oracle e-business suite
nezha
agenda
CVE-2025-55182
react
peerblight
etherrat
CVE-2025-68645
rondo
monetastealer
gitlab
2026-01-28
agendacrypt
angryrebel
bash0day
bpfdoor
compood
kswapdoor
lzrd
masuta
miori
noodle rat
okiru
puremasuta
resgod
rondobot
satori
scavenger
splinter
torlus
wicked
Published: January 28, 2026
Linked vulnerabilities : CVE-2025-24893 (CVSS 9.8), CVE-2023-1389, CVE-2025-31125 (CVSS 5.3), CVE-2025-34026 (CVSS 9.2), CVE-2025-54313 (CVSS 7.5), CVE-2025-61882 (CVSS 9.8), CVE-2025-55182 (CVSS 10.0), CVE-2025-66478, CVE-2025-55184 (CVSS 7.5), CVE-2025-55183 (CVSS 5.3), CVE-2025-68645 (CVSS 8.8), CVE-2025-13335 (CVSS 6.5), CVE-2025-13927 (CVSS 7.5), CVE-2025-13928 (CVSS 7.5), CVE-2026-0723 (CVSS 7.4), CVE-2026-1102 (CVSS 5.3)
Downloadable IOCs: 37

Hunting Lazarus: Inside the Contagious Interview C2 Infrastructure

A North Korean malware was discovered in an Upwork cryptocurrency project, leading to a five-day investigation into active Lazarus Group infrastructure. The malware utilized three infection mechanisms: VSCode auto-execution, backend RCE via Function Constructor, and cookie payload delivery. The inf…
backdoor
obfuscation
north korea
xmrig
cryptocurrency
supply chain
tsunami
beavertail
vercel
2026-01-15
upwork
vynlence
Published: January 15, 2026
Downloadable IOCs: 8

Inside China's Hosting Ecosystem: 18,000+ Malware C2 Servers Mapped Across Major ISPs

An analysis of Chinese hosting environments reveals over 18,000 active command-and-control (C2) servers distributed across 48 infrastructure providers. C2 infrastructure dominates malicious activity at 84%, followed by phishing at 13%. China Unicom hosts nearly half of all observed C2 servers, with…
malware
apt
xmrig
cobalt strike
china
asyncrat
cybercrime
mirai
nanocore
mgbot
infrastructure
supershell
command-and-control
mozi
vshell
rondodox
CVE-2025-8110
valley rat
2026-01-15
arl
cloud providers
isps
l3mon
Published: January 15, 2026
Linked vulnerabilities : CVE-2025-8110 (CVSS 8.7)
Downloadable IOCs: 12

It didn’t take long: CVE-2025-55182 is now under active exploitation

A critical vulnerability (CVE-2025-55182) affecting React Server Components has been actively exploited since its disclosure on December 4, 2025. The flaw, dubbed React4Shell, allows attackers to execute commands and manipulate files on vulnerable web applications. Kaspersky honeypots detected a su…
xmrig
vulnerability
botnet
mirai
exploitation
gafgyt
honeypot
rondodox
CVE-2025-55182
2025-12-11
react server components
crypto miner
react4shell
Published: December 11, 2025
Linked vulnerabilities : CVE-2025-55182 (CVSS 10.0)
Downloadable IOCs: 46

ShadowRay 2.0: Active Global Campaign Hijacks Ray AI Infrastructure Into Self-Propagating Botnet

A global hacking campaign dubbed ShadowRay 2.0 has been discovered, exploiting a vulnerability in the Ray AI framework to seize control of computing clusters and create a self-replicating botnet. The attackers use GitLab and GitHub for payload delivery, leveraging AI-generated code to adapt their m…
xmrig
ddos
botnet
cryptojacking
data exfiltration
self-propagation
devops
2025-11-19
CVE-2023-48022
ai infrastructure
sockstress
ray framework
Published: November 19, 2025
Downloadable IOCs: 0

Cloud Abuse at Scale

A large-scale attack infrastructure dubbed TruffleNet has been identified, built around the open-source tool TruffleHog. This infrastructure is used to systematically test compromised credentials and perform reconnaissance across AWS environments. The campaign involves over 800 unique hosts across …
xmrig
aws
bec
coroxy
systembc
trufflehog
credential abuse
cloud infrastructure
2025-11-01
identity compromise
portainer
trufflenet
ses
Published: November 1, 2025
Downloadable IOCs: 0

Case of ActiveMQ Vulnerability Exploitation to Install Sharpire (Kinsing)

The Kinsing threat actor continues to distribute malware by exploiting known vulnerabilities, particularly CVE-2023-46604 in ActiveMQ. They target both Linux and Windows systems, using various malware types including XMRig, Stager, and Sharpire. The attack process involves exploiting the ActiveMQ v…
xmrig
meterpreter
cobaltstrike
vulnerability exploitation
CVE-2023-46604
cryptocurrency mining
2025-10-31
activemq
sharpire
h2miner
powershell empire
Published: October 31, 2025
Linked vulnerabilities : CVE-2021-44228, CVE-2023-46604
Downloadable IOCs: 4

From Scripts to Systems: A Comprehensive Look at Tangerine Turkey Operations

Tangerine Turkey is a cryptomining campaign that uses VBScript worms to spread via USB drives, leveraging living-off-the-land binaries for execution and persistence. The group employs defense evasion techniques by modifying registry keys and masquerading malicious binaries as legitimate system file…
xmrig
worm
usb
persistence
cryptomining
vbscript
living-off-the-land
2025-10-29
defense-evasion
Published: October 29, 2025
Downloadable IOCs: 3

Exposed JDWP Exploited in the Wild: What Happens When Debug Ports Are Left Open

A routine monitoring by researchers uncovered an exploitation attempt on a honeypot server running TeamCity, a CI/CD tool. The attack exploited an exposed Java Debug Wire Protocol (JDWP) interface, leading to remote code execution, deployment of cryptomining payload, and establishment of multiple p…
xmrig
persistence
java
cryptomining
remote code execution
2025-08-08
teamcity
jdwp
debugging
Published: August 8, 2025
Downloadable IOCs: 17

CoinMiner Attacks Exploiting GeoServer Vulnerability

A critical remote code execution vulnerability (CVE-2024-36401) in GeoServer has been actively exploited by threat actors to install CoinMiner malware. The attacks target both Windows and Linux environments with unpatched GeoServer installations. In South Korea, attackers exploited the vulnerabilit…
powershell
xmrig
coinminer
bash
mirai
netcat
remote code execution
condi
geoserver
monero
CVE-2024-36401
goreverse
2025-08-08
sidewalk
Published: August 8, 2025
Downloadable IOCs: 4

Android Cryptojacker Masquerades as Banking App to Mine Cryptocurrency on Locked Devices

A new Android malware campaign has been discovered, disguising itself as a banking app to covertly mine cryptocurrency on locked devices. The malware, distributed through a phishing website impersonating Axis Bank, downloads and executes a modified version of XMRig, a popular cryptocurrency mining …
phishing
android
xmrig
banking
cryptojacking
monero
2025-07-18
device-lock
battery-drain
overheating
android.dminer.a
Published: July 18, 2025
Downloadable IOCs: 1

The Linuxsys Cryptominer

A long-running cryptomining campaign exploiting multiple vulnerabilities has been active since 2021, using consistent attack methodologies. The attacker compromises legitimate websites to distribute malware, enabling stealthy delivery and detection evasion. The campaign targets various vulnerabilit…
xmrig
cryptomining
compromised websites
2025-07-18
linuxsys
Published: July 18, 2025
Downloadable IOCs: 0

Digging Gold with a Spoon – Resurgence of Monero-mining Malware

A resurgence of malware deploying XMRig cryptominer was discovered in mid-April 2025, coinciding with a rally in Monero cryptocurrency value. The malware uses a multi-staged approach and LOLBAS techniques, leveraging Windows tools like PowerShell for payload delivery, detection evasion, and persist…
powershell
xmrig
persistence
cryptomining
monero
lolbas
windows defender evasion
2025-07-07
Published: July 7, 2025
Downloadable IOCs: 4

Uncovering a Tor-Enabled Docker Exploit

A sophisticated attack campaign exploits exposed Docker Remote APIs and leverages the Tor network to deploy stealthy cryptocurrency miners. The attackers gain access to containerized environments, use Tor to mask their activities, and employ the ZStandard compression algorithm for efficient payload…
xmrig
docker
tor
cryptocurrency mining
container exploitation
ssh backdoor
api abuse
2025-06-18
zstandard compression
Published: June 18, 2025
Linked vulnerabilities : CVE-2025-3248 (CVSS 9.8)
Downloadable IOCs: 6

APT carries out attacks with data theft and crypto miner deployment

Librarian Ghouls, an APT group targeting entities in Russia and the CIS, has been conducting a campaign involving targeted phishing emails with malicious archives. The attackers use legitimate third-party software and scripts to establish remote access, steal credentials, and deploy an XMRig crypto…
apt
phishing
xmrig
russia
data theft
crypto mining
2025-06-09
legitimate tools
cis
industrial targets
Published: June 9, 2025
Downloadable IOCs: 55

Blitz Malware: A Tale of Game Cheats and Code Repositories

Blitz is a new Windows-based malware discovered in 2024 consisting of a downloader and bot payload. The latest version was spread through backdoored game cheats for Standoff 2 distributed via Telegram. Blitz abuses Hugging Face Spaces to host components of its C2 infrastructure and payloads. The ma…
xmrig
ddos
information stealing
telegram
cryptocurrency mining
hugging face
blitz
2025-06-06
game cheats
Published: June 6, 2025
Downloadable IOCs: 80

The Sharp Taste of Mimo'lette: Analyzing Mimo's Latest Campaign targeting Craft CMS

Between February and May, multiple exploitations of CVE-2025-32432, a Remote Code Execution vulnerability in Craft CMS, were observed. The attack chain involves deploying a webshell, downloading an infection script, and executing malicious payloads including a loader, crypto miner, and residential …
xmrig
cryptomining
webshell
residential proxy
CVE-2025-32432
2025-05-27
minus ransomware
iproyal
craft cms
Published: May 27, 2025
Linked vulnerabilities : CVE-2024-46483 (CVSS 9.8), CVE-2025-32432 (CVSS 10.0)
Downloadable IOCs: 8

Outlaw cybergang attacking targets worldwide

A recent incident response case in Brazil revealed a Perl-based crypto mining botnet called Outlaw, also known as Dota, targeting Linux environments. The threat actor exploits weak SSH credentials, downloads malicious scripts, and deploys an XMRig miner for Monero cryptocurrency. The botnet include…
linux
backdoor
evasion
xmrig
persistence
botnet
irc
ssh
crypto mining
outlaw
2025-04-29
dota
Published: April 29, 2025
Downloadable IOCs: 0

Mining in Plain Sight: The VS Code Extension Cryptojacking Campaign

A sophisticated cryptomining campaign has been discovered targeting developers through seemingly legitimate VS Code extensions. The campaign, potentially reaching over one million installations, involves fake extensions published by three different authors. These extensions secretly download a Powe…
xmrig
cryptojacking
2025-04-08
developer tools
Published: April 8, 2025
Downloadable IOCs: 11

Outlaw Linux Malware: Persistent, Unsophisticated, and Surprisingly Effective

OUTLAW is a persistent Linux malware that uses basic techniques like SSH brute-forcing, SSH key manipulation, and cron-based persistence to maintain a long-lasting botnet. Despite its lack of sophistication, it remains active by leveraging simple but impactful tactics. The malware deploys modified …
linux
xmrig
worm
persistence
botnet
irc
ssh
cryptocurrency mining
brute-force
2025-04-03
outlaw
stealth shellbot
blitz
Published: April 3, 2025
Downloadable IOCs: 87

SilentCryptoMiner distributed as a bypass tool

A mass malware campaign is infecting users with a cryptocurrency miner disguised as a tool for bypassing internet restrictions. The campaign has affected over 2,000 victims in Russia, utilizing YouTube channels to spread malicious links. Attackers are blackmailing content creators to post videos wi…
xworm
xmrig
njrat
dcrat
stealth techniques
cryptocurrency mining
silentcryptominer
2025-03-05
phemedrone
blackmail
restriction bypass
python loader
Published: March 5, 2025
Downloadable IOCs: 0

Demystifying PKT and Monero Cryptocurrency deployed on MSSQL servers

This analysis examines a recent cryptocurrency mining operation targeting MSSQL servers, focusing on PKT Classic and Monero cryptocurrencies. The attack exploits vulnerabilities to deploy mining tools, including PacketCrypt for PKT and XMRIG for Monero. The process involves using Windows utilities …
obfuscation
xmrig
exploitation
cryptocurrency mining
monero
packetcrypt
2025-02-20
pkt classic
mssql servers
Published: February 20, 2025
Downloadable IOCs: 0

StaryDobry campaign targets gamers with XMRig miner

A cybercriminal campaign launched on December 31 exploited reduced vigilance during the holiday season by distributing trojanized versions of popular games via torrent sites. The attack, which lasted a month, affected users worldwide by spreading the XMRig cryptominer. The sophisticated infection c…
xmrig
cryptomining
defense evasion
gaming
multi-stage
2025-02-18
torrents
resource spoofing
Published: February 18, 2025
Downloadable IOCs: 15

Exploitation in the Wild of Aviatrix Controller RCE (CVE-2024-50603)

A critical code execution vulnerability, CVE-2024-50603, affecting Aviatrix Controller has been observed being exploited in the wild. This unauthenticated remote code execution flaw allows attackers to execute arbitrary commands on the system, potentially leading to privilege escalation in AWS envi…
backdoor
xmrig
sliver
cloud security
cryptojacking
privilege escalation
aws
rce
CVE-2024-50603
2025-01-13
aviatrix controller
Published: January 13, 2025
Linked vulnerabilities : CVE-2024-50603 (CVSS 10.0), CVE-2025-0282 (CVSS 9.0), CVE-2025-0283 (CVSS 7.0), CVE-2021-40870
Downloadable IOCs: 6

Rspack npm Packages Compromised with Crypto Mining Malware in Supply Chain Attack

Two npm packages, @rspack/core and @rspack/cli, were compromised in a supply chain attack, allowing the publication of malicious versions containing cryptocurrency mining malware. The attack targeted specific countries and aimed to execute XMRig cryptocurrency miner on Linux hosts. The malicious ve…
linux
xmrig
npm
crypto mining
2024-12-20
rspack
Published: December 20, 2024
Downloadable IOCs: 1

A Deep Dive into TeamTNT and Spinning YARN

TeamTNT is conducting a crypto mining campaign called Spinning YARN, targeting Docker, Redis, YARN, and Confluence. The attack involves server-side scripting vulnerabilities, obfuscated code, and malware deployment. The malware assesses the environment, disables cloud security, establishes persiste…
linux
obfuscation
xmrig
cloud security
docker
yarn
spinning yarn
confluence
2024-12-18
crypto mining
redis
platypus
Published: December 18, 2024
Downloadable IOCs: 35

Unpacking the Diicot Malware Targeting Linux Environments

A new malware campaign attributed to the Romanian-speaking Diicot threat group has been discovered targeting Linux systems. The campaign shows significant advancements compared to previous iterations, including modified UPX headers with corrupted checksums, advanced payload staging, and environment…
malware
linux
openssh
xmrig
persistence
cryptomining
brute-force
2024-12-17
reverse-shell
upx
Published: December 17, 2024
Downloadable IOCs: 36

Technical Analysis of RiseLoader

RiseLoader, a new malware loader family observed in October 2024, implements a custom TCP-based binary network protocol similar to RisePro. It uses VMProtect for obfuscation and has been observed dropping malware families like Vidar, Lumma Stealer, XMRig, and Socks5Systemz. The malware collects inf…
xmrig
cryptocurrency
lumma stealer
malware loader
vidar
risepro
socks5systemz
2024-12-16
riseloader
Published: December 16, 2024
Downloadable IOCs: 0

Compromised ultralytics PyPI package delivers crypto coinminer

A malicious version of the popular AI library ultralytics was published on PyPI, containing downloader code for the XMRig coinminer. The compromise was achieved by exploiting a known GitHub Actions script injection. Two versions, 8.3.41 and 8.3.42, were affected before a clean version 8.3.43 was re…
xmrig
coinminer
pypi
2024-12-07
ultralytics
supply-chain-attack
Published: December 7, 2024
Downloadable IOCs: 0

Gaming Engines: An Undetected Playground for Malware Loaders

Check Point Research uncovered a new technique exploiting the Godot Engine to execute malicious GDScript code, remaining undetected by most antivirus tools. The technique has been used since June 2024, potentially infecting over 17,000 machines. A loader called GodLoader employs this method and is …
xmrig
malware loader
redline
cross-platform
gaming
2024-11-27
godot engine
gdscript
undetected technique
stargazers ghost network
godloader
Published: November 27, 2024
Downloadable IOCs: 0

Threat Campaign Targeting Palo Alto Networks Firewall Devices Observed

Arctic Wolf has identified multiple intrusions across various industries involving Palo Alto Network firewall devices. The attacks likely exploit recently disclosed PAN-OS vulnerabilities CVE-2024-0012 and CVE-2024-9474 for initial access. Affected devices downloaded payloads including the Sliver C…
xmrig
data exfiltration
vulnerability exploitation
webshells
CVE-2024-0012
CVE-2024-9474
2024-11-25
sliver c2
palo alto networks
Published: November 25, 2024
Downloadable IOCs: 14

RunningRAT’s Next Move: From Remote Access to Crypto Mining for Profit

RunningRAT, a remote access trojan initially observed in 2018 targeting the Pyeongchang Winter Olympics, has evolved its capabilities to include cryptocurrency mining. This shift indicates an expansion of the malware's operational focus. The analysis reveals the discovery of RunningRAT samples in o…
xmrig
cryptocurrency mining
remote access trojan
2024-11-06
runningrat
Published: November 6, 2024
Downloadable IOCs: 11

Threat Actors leverage Docker Swarm and Kubernetes to mine cryptocurrency at scale

A new cryptojacking campaign targeting Docker Engine API has been discovered, with the ability to move laterally to Docker Swarm, Kubernetes, and SSH servers. The attackers exploit exposed Docker API endpoints to deploy cryptocurrency miners and additional malicious payloads. They utilize Docker Hu…
xmrig
kubernetes
cryptojacking
docker
2024-09-25
container security
docker swarm
Published: September 25, 2024
Downloadable IOCs: 41

Supershell Malware Being Distributed to Linux SSH Servers

A Chinese-developed Go-based backdoor called Supershell is targeting poorly managed Linux SSH servers. The malware, which supports multiple platforms, primarily functions as a reverse shell for remote system control. Attackers use dictionary attacks from various IP addresses to gain access, then in…
xmrig
ssh
2024-09-20
cryptocurrency mining
supershell
Published: September 20, 2024
Downloadable IOCs: 5

Binary Managed Object File (BMOF) Distributing XMRig CoinMiner

This analysis explores the use of Binary Managed Object Files (BMOFs) in distributing XMRig CoinMiner. BMOFs, compiled versions of Managed Object Files, are not inherently malicious but can be exploited due to their ability to execute scripts. The report details how threat actors utilize BMOFs with…
xmrig
coinminer
2024-09-18
bmof
Published: September 18, 2024
Linked vulnerabilities : CVE-2024-43044, CVE-2024-23897
Downloadable IOCs: 5

Cryptomining Campaign Exploiting Grid Services

Wiz researchers discovered an ongoing threat campaign, dubbed 'SeleniumGreed', that exploits exposed Selenium Grid services for cryptomining. The campaign targets publicly accessible instances of Selenium Grid, an integral component of the widely used Selenium testing framework. By leveraging featu…
xmrig
cryptomining
threat
2024-07-30
webdriver
grid
selenium
Published: July 30, 2024
Downloadable IOCs: 14

Warning Against the Distribution of Malware Disguised as Software Cracks

This advisory cautions about the distribution of malware masquerading as crack programs for software. The malicious actors aim to prevent the installation of V3 Lite, an anti-malware solution, by terminating its installation process. This tactic allows them to maintain persistence and continue upda…
malware
xmrig
coinminer
persistence
installer
2024-07-19
update
Published: July 19, 2024
Downloadable IOCs: 1

CVE-2024-4577 Exploits in the Wild One Day After Disclosure

One of the most recent examples of this onslaught lies in a critical vulnerability discovered in PHP (versions 8.1.*, before 8.1.29, 8.2.* before 8.2.20, and 8.3.* before 8.3.8). The vulnerability is caused by the way PHP and CGI handlers parse certain Unicode characters, which can enable an attack…
rat
xmrig
vulnerability
cryptominer
gh0st rat
muhstik
CVE-2024-4577
2024-07-11
redtail
php injection
Published: July 11, 2024
Downloadable IOCs: 17

Attack Case against HFS (HTTP File Server) Server (Suspected CVE-2024-23692)

A remote code execution vulnerability (CVE-2024-23692) in the HFS (HTTP File Server) program has allowed attackers to execute malicious commands on vulnerable systems. Various attack cases exploiting this vulnerability have been observed, leading to the installation of malware such as coin miners, …
backdoor
exploit
rat
xmrig
vulnerability
plugx
gh0strat
CVE-2024-23692
cobaltstrike
korplug
destroyrat
xenorat
2024-07-03
gothief
Published: July 3, 2024
Linked vulnerabilities : CVE-2024-23692 (CVSS 9.8)
Downloadable IOCs: 14

Examining Water Infection Routine Leading to an XMRig Cryptominer

This report details the multi-stage loading technique utilized by the threat actor Water Sigbin to deliver the PureCrypter loader and XMRig cryptocurrency miner. The actor exploits vulnerabilities in Oracle WebLogic servers, employing fileless execution tactics like DLL reflective and process injec…
obfuscation
xmrig
purecrypter
cryptominer
CVE-2023-21839
CVE-2017-3506
2024-06-28
vulnerability exploitation
multi-stage loading
Published: June 28, 2024
Linked vulnerabilities : CVE-2023-21839, CVE-2017-3506
Downloadable IOCs: 13

Analysis of CoinMiner Attacks Targeting Web Servers

The report details two separate attack cases targeting a Korean medical institution's web server, resulting in the installation of CoinMiners. The targeted server was a Windows IIS server, likely with PACS software installed. In both attacks, web shells were uploaded, and system information was col…
xmrig
coinminer
privilege escalation
earthworm
badpotato
godpotato
2024-06-24
webshell
netcat
cpolar
fscan
printnotifypotato
Published: June 24, 2024
Linked vulnerabilities : CVE-2021-1732
Downloadable IOCs: 59

Analysis of Coin Miner Attack Case Against Domestic Web Server

ASEC has recently confirmed an attack on a domestic medical institution to install a coin miner. The web server that was targeted was a Windows IIS server, and the path name on which the web shell was uploaded suggests that it is a system with the Picture Archiving and Communication System (PACS) p…
xmrig
2024-06-18
godzilla
aspxspy
badpotato
CVE-2021-1732
coin miner
certutil
iis sever
caidao
chopper
behinder
godpotato
ringq
Published: June 18, 2024
Downloadable IOCs: 10

From Clipboard to Compromise: A PowerShell Self-Pwn

This intelligence report details a unique social engineering technique observed by Proofpoint researchers, leveraging users to copy and paste malicious PowerShell scripts to infect their computers. The threat actors TA571 and ClearFake activity cluster employ this method to deliver malware like Dar…
malware
social engineering
powershell
xmrig
darkgate
lumma stealer
matanbuchus
2024-06-17
netsupport
malicious script
jaskago
compromise
amadey loader
vidar stealer
Published: June 17, 2024
Downloadable IOCs: 14

Distribution of Malware Under the Guise of MS Office Cracked Versions (XMRig, OrcusRAT, etc.)

The report analyzes a campaign where threat actors distribute various malware strains like RATs, coinminers, and loaders disguised as cracked versions of popular software. South Korean systems are heavily targeted, with malware persisting via scheduled tasks and evading security products. Detailed …
loader
evasion
xmrig
purecrypter
cryptominer
3proxy
antiav
orcusrat
2024-05-30
Published: May 30, 2024
Downloadable IOCs: 11

Unveiling a Crypto Mining Operation

This report uncovers a sophisticated intrusion campaign involving several malicious modules designed to disable security solutions and execute a persistent crypto-miner. The primary payload, dubbed GHOSTENGINE, leverages vulnerable drivers to terminate and delete known endpoint detection and respon…
xmrig
2024-05-22
cryptomining
ghostengine
Published: May 22, 2024
Downloadable IOCs: 17

Malware (XMRig, OrcusRAT, etc.) disguised as MS Office crack

The report details an ongoing malware campaign targeting South Korean users, which disguises malicious payloads as cracked versions of Microsoft Office and other popular software. The attackers are distributing a variety of malware, including downloaders, coin miners, remote access tools (RATs), pr…
obfuscation
rat
xmrig
persistence
2024-05-05
2024-05-06
2024-05-07
2024-05-08
purecrypter
cryptominer
3proxy
antiav
orcusrat
2024-05-09
2024-05-10
Published: May 10, 2024
Downloadable IOCs: 12
Click here to see more Attack Reports