MalwareRansomware

CoinMiner

CoinMiner is a cryptocurrency-mining malware family. The provided reporting describes it primarily as a Windows-focused miner that typically uses Windows Management Instrumentation (WMI) to spread laterally across a network and often uses WMI Standard Event Consumer scripting for persistence. Multiple variants exist, and observed infection vectors include malspam, being dropped by other malware, PowerShell-based retrieval and execution, exploitation of vulnerable or weakly protected internet-exposed services, and follow-on deployment after other malware such as SocGholish. CoinMiner was observed in attacks against exposed MS-SQL servers, where attackers installed the miner after gaining access, and in broader opportunistic scanning of externally exposed systems with vulnerable services. It was also referenced in Linux SSH threat telemetry as one of the main malware threats observed against Linux SSH services. Reporting further identified an active campaign in which a CoinMiner payload was signed with a stolen AnyDesk Software GmbH certificate and delivered alongside numerous other payloads in an Amadey-linked operation assessed as consistent with an initial access broker or ransomware affiliate playbook. Another report identified an exposed HTTPS file server at 118.209.200.36:8443 in TPG Telecom Limited IP space as active staging infrastructure for a CoinMiner plus Android APK distribution campaign, with .apk, .lnk, and .scr payloads hosted there. Known detections and indicators mentioned in the content include detection names Win.Worm.Coinminer::1201 and Coinminer:MBT.26mw.in14.Talos, a prevalent sample with SHA-256 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 and MD5 2915b3f8b703eb744fc54c81f4a9c67f, and the staging server 118.209.200.36:8443.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

MITRE ATT&CK

Techniques & procedures

4 distinct techniques documented for this family, organized by ATT&CK tactic.

Stealth

1 technique

T1036.001Invalid Code SignatureEvidence1

MITRE ATT&CK Mapping Tactic Technique ID Implementation Defense Evasion Masquerading: Invalid Code Signature T1036.001 Stolen/abused code signing certs

Defense Impairment

1 technique

T1553.002Code SigningEvidence2

MITRE ATT&CK Mapping Tactic Technique ID Implementation Defense Evasion Subvert Trust Controls: Code Signing T1553.002 AnyDesk, ConnectWise stolen certs

Credential Access

1 technique

T1110Brute ForceEvidence1

after scanning the SSH service, the threat actor attempted to log in to the honeypot Linux server

Impact

1 technique

T1496Resource HijackingEvidence2

MITRE ATT&CK Mapping Tactic Technique ID Application in This Campaign Impact Resource Hijacking T1496 CoinMiner deployment for cryptojacking

INDICATORS OF COMPROMISE

IOCs tracked for this family

25 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

9 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

12 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other

4 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting

hash.md5●●●●●●●●●●●●View more in app1 month ago

hash.sha256●●●●●●●●●●●●View more in app1 month ago

domain●●●●●●●●●●●●View more in app3 months ago

ip.v4●●●●●●●●●●●●View more in app3 months ago

ACTIVITY FEED

Recent activity

12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

12 SOURCESView more in app

ahnlab asec blogNews

Apr 12, 2026

Q1 2026 Malware Statistics Report for Linux SSH Servers - ASEC

A coin-mining malware category/name referenced as one of the main threats in the observed Linux SSH attacks.

breakglass intelNews

Mar 12, 2026

Amadey Botnet Campaign "fbf543" Weaponizes 9 Legitimate RMM Tools Across 5 Vendors for EDR-Evasive Persistence - Breakglass Intelligence - Breakglass Intelligence

CoinMiner is used for cryptocurrency mining and immediate monetization, and in this campaign it is signed with a stolen AnyDesk certificate to blend in.

the hacker newsNews

Jan 8, 2026

ThreatsDay Bulletin: RustFS Flaw, Iranian Ops, WebUI RCE, Cloud Leaks, and 12 More Stories

CoinMiner is a generic term for malware that mines cryptocurrency on infected systems, often Monero or other privacy coins.

cisecurity blog msisca and eiisacNews

Nov 14, 2025

Top 10 Malware Q3 2025

Cryptocurrency mining malware that spreads via malspam or is dropped by other malware, often using WMI for lateral movement and persistence.

+8 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching25

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping4

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.