Digging Gold with a Spoon – Resurgence of Monero-mining Malware

A resurgence of malware deploying XMRig cryptominer was discovered in mid-April 2025, coinciding with a rally in Monero cryptocurrency value. The malware uses a multi-staged approach and LOLBAS techniques, leveraging Windows tools like PowerShell for payload delivery, detection evasion, and persistence. The attack chain involves three stages: initial infection via a batch file, persistence establishment, and cryptomining execution. The malware targets diverse countries, including Russia, Belgium, Greece, and China. It disables Windows Update services, evades Windows Defender, and uses scheduled tasks for persistence. The XMRig miner creates registry entries and drops files for continued operation. Despite its simple, unobfuscated nature, the malware proved effective in avoiding detection.

Pulse ID: 686bd1d71a879c051d569c88
Pulse Link: https://otx.alienvault.com/pulse/686bd1d71a879c051d569c88
Pulse Author: AlienVault
Created: 2025-07-07 13:55:35

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#China #CryptoMiner #CryptoMining #CyberSecurity #InfoSec #Malware #OTX #OpenThreatExchange #PowerShell #RAT #Russia #Windows #XMRigMiner #bot #cryptocurrency #AlienVault

Every #appliance that's job is to get hot should be a #cryptoMiner or a #heatPump

#electronics #technology #bitcoin #cryptocurrency #crypto #appliances #home

Malicious #VSCode extensions infect #Windows with cryptominers

https://www.bleepingcomputer.com/news/security/malicious-vscode-extensions-infect-windows-with-cryptominers/

#cybersecurity #cryptominer #malware

Cybercriminals are blackmailing YouTubers with fake copyright claims! 😱 They're threatening creators into distributing malware disguised as download links. A trojanized program installs a cryptominer. ⚠️ Be careful what you download! More info: https://www.techradar.com/pro/security/youtubers-targeted-by-blackmail-campaign-to-promote-malware-on-their-channels #cybersecurity #malware #youtube #cryptominer #newz

CVE-2021-41773 oraz CVE-2021-42013 kończące się kopaniem krypto przez RedTail ( https://nfsec.pl/ai/6597 ) #cryptominer #botnet #redtail #linux #security #twittermigration

https://www.youtube.com/watch?v=XEDgaXtpFRM

Fake Job Offers from CrowdStrike Used by Cybercriminals to Distribute Cryptominer - https://www.redpacketsecurity.com/cybercriminals-use-fake-crowdstrike-job-offers-to-distribute-cryptominer/

#threatintel #cryptominer #CrowdStrike #phishing

Phishers abuse #CrowdStrike brand targeting job seekers with #cryptominer
https://securityaffairs.com/172900/cyber-crime/crowdstrike-phishing-campaign-recruitment-branding.html
#securityaffairs #hacking #malware

Kwaadaardige npm-pakketten met cryptominers ontdekt https://www.trendingtech.news/trending-news/2024/12/50408/kwaadaardige-npm-pakketten-met-cryptominers-ontdekt #npm #cryptominer #supply chain #XMRig #cybersecurity #Trending #News #Nieuws

r2ai can be used over source code. Here, with Claude AI, it analyzes a sample of Linux/Rudedevil. I'm asking it to explain what it's doing with signals, and I really like its insights like "The malware likely handles this to prevent crashes when network connections fail" or "likely prevent normal process termination". Really useful to a malware analyst.

#malware #r2ai #rudedevil #cryptominer cc: @radareorg

Ein Krypto-Miner wurde in einigen Versionen des Pip-Pakets ultralytics gefunden. Betroffen sind die Versionen v8.3.41 und v8.3.42 des ultralytics pip-Pakets auf Mac und Linux.
Updaten!
https://blog.comfy.org/comfyui-statement-on-the-ultralytics-crypto-miner-situation/
#DASS #DassNews #ultralytics #cryptominer

While crypto is dumb, this take on crypto is also dumb.

Arkansas officials halt cryptomine near LR Airbase due to national security concerns
https://katv.com/news/local/arkansas-officials-halt-cryptomine-near-lr-airbase-due-to-national-security-concerns-state-senator-ricky-hill-lonoke-county-judge-doug-erwin-cabot-mayor-ken-kincade-interstate-holdings-arkansas-blockchain-council-benjamin-smith-steven-landers-jr-lrafb
#crypto #cryptocurrency #cryptocult #cryptominer #cryptominers #arkansas #littlerock #ArkansasPolitics

#Linux :tux: -#Malware "#Perfctl" befällt offenbar schon seit Jahren Linux-Server | heise online https://www.heise.de/news/Perfectl-Linux-Malware-laesst-Server-heimlich-Kryptomining-und-mehr-ausfuehren-9963118.html #CryptoMiner #cryptocurrencies #cryptocurrency #Proxy #Loader

@dirksche Klingt nach nen #CryptoMiner oder so...

Mal ps -aux bzw. btop aufgemacht?

Ggf. mal in top bzw. htop nachgucken und ggf. /home/ backuppen und das System neu installieren, weil das geht schneller?

New(ish) #cryptominer alert!

The #RedTail cryptominer has a new variant that exploits the recent critical PAN-OS vuln CVE-2024-3400. You may be aware of RedTail from its Log4Shell days, now it's going after at least 6 known vulnerabilities including the PAN-OS, recent Ivanti Connect Secure vulns, and ThinkPHP.

The write-up goes into a lot more technical detail and provides IoCs and mitigations. Here are the highlights:

🔐 Attackers behind this are using private cryptomining pools. It costs a loooootttt of money and time to do this. It also helps obfuscation. This can tell us some things about who is behind this.

👨‍💻 The tactics observed here mirror tactics previously seen by the Lazarus group. This nation-state theory is supported by the private pools point, but we cannot say that for certain.

🌐 The malware delivery infrastructure relies on multiple unrelated servers hosted by various ✨ legitimate ✨ hosting companies. It is robust and hard to classify as malicious without deeper examination.

Full write up includes IoCs and mitigations:
https://www.akamai.com/blog/security-research/2024-redtail-cryptominer-pan-os-cve-exploit

Incredible work Ryan Barnett Stiv Kupchik and Maxim Zavodchik. I have the coolest job in the world thanks to these folks and their awesome research.

#security #research #crypto

1) #Harfbuzz is a #text shaping engine, it's used in #Android, #Chrome, #ChromeOS, #Firefox, #GNOME, #GTK+, #KDE, #Qt, #LibreOffice, #OpenJDK, #XeTeX, #PlayStation, #Microsoft #Edge, #Adobe #Photoshop, #Illustrator, #InDesign, #Godot Engine, and other places.

2) Harfbuzz 8.0 introduces a #Wasm shaper, that allows #WebAssembly to be embedded in a #font file. https://www.phoronix.com/news/HarfBuzz-8.0

3) It's only a matter of time until someone embeds a #cryptominer in a font file.

#hacking #fonts #tech

#cybersecurity #threatintel #campaign #backdoor #cryptominer

Users of eScan antivirus are advised to update ASAP to the latest version, and scan their devices for malicious files and processes.

#cybersecurity #threatintel #campaign #backdoor #cryptominer

The campaign is believed to be state-sponsored. The attack works by substituting eScan antivirus software updates with a malicious version. The issue was unnoticed for at least 5 years, but has been fixed as of July 31, 2023.

Security researchers have revealed a malware campaign that exploits the software update mechanism of eScan antivirus to distribute backdoors and cryptocurrency miners.

#cybersecurity #threatintel #campaign #backdoor #cryptominer

https://thehackernews.com/2024/04/escan-antivirus-update-mechanism.html

Sysdig provides a threat actor profile on RUBYCARP, described as a Romanian financially motivated threat actor group actively running a botnet for the past 10 years. They have some crossover with the Outlaw APT group. Their payloads are geared towards cryptomining, DDoS, and Phishing. Initial access includes exploitation of CVE-2021-3129 (9.8 critical, disclosed 12 January 2021, in KEV Catalog, Laravel RCE). Sysdig also IRC talks communication and group hierarchy. IOC for crypto mining pools and various IP/domains scattered throughout article.🔗 https://sysdig.com/blog/rubycarp-romanian-botnet-group/

#RUBYCARP #cybercrime #cryptominer #threatintel #IOC #CVE_2021_3129