Tag: xmrig

29 Attack Reports | 0 Vulnerabilities

Attack reports

Outlaw cybergang attacking targets worldwide

A recent incident response case in Brazil revealed a Perl-based crypto mining botnet called Outlaw, also known as Dota, targeting Linux environments. The threat actor exploits weak SSH credentials, downloads malicious scripts, and deploys an XMRig miner for Monero cryptocurrency. The botnet include…
linux
backdoor
evasion
xmrig
persistence
botnet
irc
ssh
crypto mining
outlaw
2025-04-29
dota
Published: April 29, 2025
Downloadable IOCs: 0

Mining in Plain Sight: The VS Code Extension Cryptojacking Campaign

A sophisticated cryptomining campaign has been discovered targeting developers through seemingly legitimate VS Code extensions. The campaign, potentially reaching over one million installations, involves fake extensions published by three different authors. These extensions secretly download a Powe…
xmrig
cryptojacking
2025-04-08
developer tools
Published: April 8, 2025
Downloadable IOCs: 11

Outlaw Linux Malware: Persistent, Unsophisticated, and Surprisingly Effective

OUTLAW is a persistent Linux malware that uses basic techniques like SSH brute-forcing, SSH key manipulation, and cron-based persistence to maintain a long-lasting botnet. Despite its lack of sophistication, it remains active by leveraging simple but impactful tactics. The malware deploys modified …
linux
xmrig
worm
persistence
botnet
irc
ssh
cryptocurrency mining
brute-force
2025-04-03
outlaw
stealth shellbot
blitz
Published: April 3, 2025
Downloadable IOCs: 87

SilentCryptoMiner distributed as a bypass tool

A mass malware campaign is infecting users with a cryptocurrency miner disguised as a tool for bypassing internet restrictions. The campaign has affected over 2,000 victims in Russia, utilizing YouTube channels to spread malicious links. Attackers are blackmailing content creators to post videos wi…
xworm
xmrig
njrat
dcrat
stealth techniques
cryptocurrency mining
silentcryptominer
2025-03-05
phemedrone
blackmail
restriction bypass
python loader
Published: March 5, 2025
Downloadable IOCs: 0

Demystifying PKT and Monero Cryptocurrency deployed on MSSQL servers

This analysis examines a recent cryptocurrency mining operation targeting MSSQL servers, focusing on PKT Classic and Monero cryptocurrencies. The attack exploits vulnerabilities to deploy mining tools, including PacketCrypt for PKT and XMRIG for Monero. The process involves using Windows utilities …
obfuscation
xmrig
exploitation
cryptocurrency mining
monero
packetcrypt
2025-02-20
pkt classic
mssql servers
Published: February 20, 2025
Downloadable IOCs: 0

StaryDobry campaign targets gamers with XMRig miner

A cybercriminal campaign launched on December 31 exploited reduced vigilance during the holiday season by distributing trojanized versions of popular games via torrent sites. The attack, which lasted a month, affected users worldwide by spreading the XMRig cryptominer. The sophisticated infection c…
xmrig
cryptomining
defense evasion
gaming
multi-stage
2025-02-18
torrents
resource spoofing
Published: February 18, 2025
Downloadable IOCs: 15

Exploitation in the Wild of Aviatrix Controller RCE (CVE-2024-50603)

A critical code execution vulnerability, CVE-2024-50603, affecting Aviatrix Controller has been observed being exploited in the wild. This unauthenticated remote code execution flaw allows attackers to execute arbitrary commands on the system, potentially leading to privilege escalation in AWS envi…
backdoor
xmrig
sliver
cloud security
cryptojacking
privilege escalation
aws
rce
CVE-2024-50603
2025-01-13
aviatrix controller
Published: January 13, 2025
Linked vulnerabilities : CVE-2024-50603 (CVSS 10.0), CVE-2025-0282 (CVSS 9.0), CVE-2025-0283 (CVSS 7.0), CVE-2021-40870
Downloadable IOCs: 6

Rspack npm Packages Compromised with Crypto Mining Malware in Supply Chain Attack

Two npm packages, @rspack/core and @rspack/cli, were compromised in a supply chain attack, allowing the publication of malicious versions containing cryptocurrency mining malware. The attack targeted specific countries and aimed to execute XMRig cryptocurrency miner on Linux hosts. The malicious ve…
linux
xmrig
npm
crypto mining
2024-12-20
rspack
Published: December 20, 2024
Downloadable IOCs: 1

A Deep Dive into TeamTNT and Spinning YARN

TeamTNT is conducting a crypto mining campaign called Spinning YARN, targeting Docker, Redis, YARN, and Confluence. The attack involves server-side scripting vulnerabilities, obfuscated code, and malware deployment. The malware assesses the environment, disables cloud security, establishes persiste…
linux
obfuscation
xmrig
cloud security
docker
yarn
spinning yarn
confluence
2024-12-18
crypto mining
redis
platypus
Published: December 18, 2024
Downloadable IOCs: 35

Unpacking the Diicot Malware Targeting Linux Environments

A new malware campaign attributed to the Romanian-speaking Diicot threat group has been discovered targeting Linux systems. The campaign shows significant advancements compared to previous iterations, including modified UPX headers with corrupted checksums, advanced payload staging, and environment…
malware
linux
openssh
xmrig
persistence
cryptomining
brute-force
2024-12-17
reverse-shell
upx
Published: December 17, 2024
Downloadable IOCs: 36

Technical Analysis of RiseLoader

RiseLoader, a new malware loader family observed in October 2024, implements a custom TCP-based binary network protocol similar to RisePro. It uses VMProtect for obfuscation and has been observed dropping malware families like Vidar, Lumma Stealer, XMRig, and Socks5Systemz. The malware collects inf…
xmrig
cryptocurrency
lumma stealer
malware loader
vidar
risepro
socks5systemz
2024-12-16
riseloader
Published: December 16, 2024
Downloadable IOCs: 0

Compromised ultralytics PyPI package delivers crypto coinminer

A malicious version of the popular AI library ultralytics was published on PyPI, containing downloader code for the XMRig coinminer. The compromise was achieved by exploiting a known GitHub Actions script injection. Two versions, 8.3.41 and 8.3.42, were affected before a clean version 8.3.43 was re…
xmrig
coinminer
pypi
2024-12-07
ultralytics
supply-chain-attack
Published: December 7, 2024
Downloadable IOCs: 0

Gaming Engines: An Undetected Playground for Malware Loaders

Check Point Research uncovered a new technique exploiting the Godot Engine to execute malicious GDScript code, remaining undetected by most antivirus tools. The technique has been used since June 2024, potentially infecting over 17,000 machines. A loader called GodLoader employs this method and is …
xmrig
malware loader
redline
cross-platform
gaming
2024-11-27
godot engine
gdscript
undetected technique
stargazers ghost network
godloader
Published: November 27, 2024
Downloadable IOCs: 0

Threat Campaign Targeting Palo Alto Networks Firewall Devices Observed

Arctic Wolf has identified multiple intrusions across various industries involving Palo Alto Network firewall devices. The attacks likely exploit recently disclosed PAN-OS vulnerabilities CVE-2024-0012 and CVE-2024-9474 for initial access. Affected devices downloaded payloads including the Sliver C…
xmrig
data exfiltration
vulnerability exploitation
webshells
CVE-2024-0012
CVE-2024-9474
2024-11-25
sliver c2
palo alto networks
Published: November 25, 2024
Downloadable IOCs: 14

RunningRAT’s Next Move: From Remote Access to Crypto Mining for Profit

RunningRAT, a remote access trojan initially observed in 2018 targeting the Pyeongchang Winter Olympics, has evolved its capabilities to include cryptocurrency mining. This shift indicates an expansion of the malware's operational focus. The analysis reveals the discovery of RunningRAT samples in o…
xmrig
cryptocurrency mining
remote access trojan
2024-11-06
runningrat
Published: November 6, 2024
Downloadable IOCs: 11

Threat Actors leverage Docker Swarm and Kubernetes to mine cryptocurrency at scale

A new cryptojacking campaign targeting Docker Engine API has been discovered, with the ability to move laterally to Docker Swarm, Kubernetes, and SSH servers. The attackers exploit exposed Docker API endpoints to deploy cryptocurrency miners and additional malicious payloads. They utilize Docker Hu…
xmrig
kubernetes
cryptojacking
docker
2024-09-25
container security
docker swarm
Published: September 25, 2024
Downloadable IOCs: 41

Supershell Malware Being Distributed to Linux SSH Servers

A Chinese-developed Go-based backdoor called Supershell is targeting poorly managed Linux SSH servers. The malware, which supports multiple platforms, primarily functions as a reverse shell for remote system control. Attackers use dictionary attacks from various IP addresses to gain access, then in…
xmrig
ssh
2024-09-20
cryptocurrency mining
supershell
Published: September 20, 2024
Downloadable IOCs: 5

Binary Managed Object File (BMOF) Distributing XMRig CoinMiner

This analysis explores the use of Binary Managed Object Files (BMOFs) in distributing XMRig CoinMiner. BMOFs, compiled versions of Managed Object Files, are not inherently malicious but can be exploited due to their ability to execute scripts. The report details how threat actors utilize BMOFs with…
xmrig
coinminer
2024-09-18
bmof
Published: September 18, 2024
Linked vulnerabilities : CVE-2024-43044, CVE-2024-23897
Downloadable IOCs: 5

Cryptomining Campaign Exploiting Grid Services

Wiz researchers discovered an ongoing threat campaign, dubbed 'SeleniumGreed', that exploits exposed Selenium Grid services for cryptomining. The campaign targets publicly accessible instances of Selenium Grid, an integral component of the widely used Selenium testing framework. By leveraging featu…
xmrig
cryptomining
threat
2024-07-30
webdriver
grid
selenium
Published: July 30, 2024
Downloadable IOCs: 14

Warning Against the Distribution of Malware Disguised as Software Cracks

This advisory cautions about the distribution of malware masquerading as crack programs for software. The malicious actors aim to prevent the installation of V3 Lite, an anti-malware solution, by terminating its installation process. This tactic allows them to maintain persistence and continue upda…
malware
xmrig
coinminer
persistence
installer
2024-07-19
update
Published: July 19, 2024
Downloadable IOCs: 1

CVE-2024-4577 Exploits in the Wild One Day After Disclosure

One of the most recent examples of this onslaught lies in a critical vulnerability discovered in PHP (versions 8.1.*, before 8.1.29, 8.2.* before 8.2.20, and 8.3.* before 8.3.8). The vulnerability is caused by the way PHP and CGI handlers parse certain Unicode characters, which can enable an attack…
rat
xmrig
vulnerability
cryptominer
gh0st rat
muhstik
CVE-2024-4577
2024-07-11
redtail
php injection
Published: July 11, 2024
Downloadable IOCs: 17

Attack Case against HFS (HTTP File Server) Server (Suspected CVE-2024-23692)

A remote code execution vulnerability (CVE-2024-23692) in the HFS (HTTP File Server) program has allowed attackers to execute malicious commands on vulnerable systems. Various attack cases exploiting this vulnerability have been observed, leading to the installation of malware such as coin miners, …
backdoor
exploit
rat
xmrig
vulnerability
plugx
gh0strat
CVE-2024-23692
cobaltstrike
korplug
destroyrat
xenorat
2024-07-03
gothief
Published: July 3, 2024
Linked vulnerabilities : CVE-2024-23692 (CVSS 9.8)
Downloadable IOCs: 14

Examining Water Infection Routine Leading to an XMRig Cryptominer

This report details the multi-stage loading technique utilized by the threat actor Water Sigbin to deliver the PureCrypter loader and XMRig cryptocurrency miner. The actor exploits vulnerabilities in Oracle WebLogic servers, employing fileless execution tactics like DLL reflective and process injec…
obfuscation
xmrig
purecrypter
cryptominer
CVE-2023-21839
CVE-2017-3506
2024-06-28
vulnerability exploitation
multi-stage loading
Published: June 28, 2024
Linked vulnerabilities : CVE-2023-21839, CVE-2017-3506
Downloadable IOCs: 13

Analysis of CoinMiner Attacks Targeting Web Servers

The report details two separate attack cases targeting a Korean medical institution's web server, resulting in the installation of CoinMiners. The targeted server was a Windows IIS server, likely with PACS software installed. In both attacks, web shells were uploaded, and system information was col…
xmrig
coinminer
privilege escalation
earthworm
badpotato
godpotato
2024-06-24
webshell
netcat
cpolar
fscan
printnotifypotato
Published: June 24, 2024
Linked vulnerabilities : CVE-2021-1732
Downloadable IOCs: 59

Analysis of Coin Miner Attack Case Against Domestic Web Server

ASEC has recently confirmed an attack on a domestic medical institution to install a coin miner. The web server that was targeted was a Windows IIS server, and the path name on which the web shell was uploaded suggests that it is a system with the Picture Archiving and Communication System (PACS) p…
xmrig
2024-06-18
godzilla
aspxspy
badpotato
CVE-2021-1732
coin miner
certutil
iis sever
caidao
chopper
behinder
godpotato
ringq
Published: June 18, 2024
Downloadable IOCs: 10

From Clipboard to Compromise: A PowerShell Self-Pwn

This intelligence report details a unique social engineering technique observed by Proofpoint researchers, leveraging users to copy and paste malicious PowerShell scripts to infect their computers. The threat actors TA571 and ClearFake activity cluster employ this method to deliver malware like Dar…
malware
social engineering
powershell
xmrig
darkgate
lumma stealer
matanbuchus
2024-06-17
netsupport
malicious script
jaskago
compromise
amadey loader
vidar stealer
Published: June 17, 2024
Downloadable IOCs: 14

Distribution of Malware Under the Guise of MS Office Cracked Versions (XMRig, OrcusRAT, etc.)

The report analyzes a campaign where threat actors distribute various malware strains like RATs, coinminers, and loaders disguised as cracked versions of popular software. South Korean systems are heavily targeted, with malware persisting via scheduled tasks and evading security products. Detailed …
loader
evasion
xmrig
purecrypter
cryptominer
3proxy
antiav
orcusrat
2024-05-30
Published: May 30, 2024
Downloadable IOCs: 11

Unveiling a Crypto Mining Operation

This report uncovers a sophisticated intrusion campaign involving several malicious modules designed to disable security solutions and execute a persistent crypto-miner. The primary payload, dubbed GHOSTENGINE, leverages vulnerable drivers to terminate and delete known endpoint detection and respon…
xmrig
2024-05-22
cryptomining
ghostengine
Published: May 22, 2024
Downloadable IOCs: 17

Malware (XMRig, OrcusRAT, etc.) disguised as MS Office crack

The report details an ongoing malware campaign targeting South Korean users, which disguises malicious payloads as cracked versions of Microsoft Office and other popular software. The attackers are distributing a variety of malware, including downloaders, coin miners, remote access tools (RATs), pr…
obfuscation
rat
xmrig
persistence
2024-05-05
2024-05-06
2024-05-07
2024-05-08
purecrypter
cryptominer
3proxy
antiav
orcusrat
2024-05-09
2024-05-10
Published: May 10, 2024
Downloadable IOCs: 12
Click here to see more Attack Reports