lolMiner

lolMiner is a legitimate GPU-focused cryptocurrency mining program that has been observed abused as a payload in multiple illicit cryptomining operations. In the provided reporting, it is repeatedly identified as one of several miners dynamically deployed after host compromise, alongside gminer and SRBMiner-MULTI, and in some campaigns is used specifically to mine Conflux while XMRig mines Monero.

Microsoft-linked reporting describes lolMiner being delivered in an active 2026 cryptojacking campaign that used more than 150 fake software download sites impersonating utilities such as CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, and PDFgear. Victims downloaded ZIP archives containing a legitimate executable and a malicious autorun.dll used for DLL sideloading. The infection chain installed ScreenConnect for persistent remote access, then deployed SimpleRunPE.exe, which established persistence via Registry Run keys, scheduled tasks, and Startup artifacts, added Microsoft Defender exclusions, performed anti-analysis checks, and used process hollowing into trusted Microsoft-signed .NET binaries such as InstallUtil.exe, RegAsm.exe, RegSvcs.exe, MSBuild.exe, AppLaunch.exe, AddInProcess.exe, and aspnet_compiler.exe. After profiling the victim system, the malware contacted attacker infrastructure and downloaded one of the supported GPU miners, including lolMiner. The campaign targeted users likely to own powerful discrete GPUs, including gamers, hardware enthusiasts, and AI developers, and Microsoft warned that the ScreenConnect foothold could also support data theft, lateral movement, and ransomware deployment.

High-confidence infrastructure and artifacts associated with that campaign include gleeze[.]com subdomains, WebSocket C2 wss://minemine.gleeze[.]com:8443/ws, attacker-controlled server 193.42.11[.]108, related IPs 93.115[.]10.35, 198.23[.]185.238, and 2.59.132[.]106, and files such as autorun.dll, vcredist_x64.dll, SimpleRunPE.exe, RuntimeHost.exe, and vlc.exe. Defender exclusion entries explicitly referenced lolMiner.exe, SRBMiner-MULTI.exe, miner.exe, and gminer.exe. The malware also monitored for analysis tools including Task Manager, Process Explorer, Process Hacker, System Informer, dnSpy, x64dbg, IDA, Ghidra, ProcMon, Wireshark, and Fiddler, and paused or terminated mining activity when such tools were detected.

Separate reporting ties lolMiner to attacks against Internet-exposed ComfyUI instances. In that campaign, attackers exploited unauthenticated or unsafe ComfyUI deployments via custom nodes and ComfyUI-Manager to achieve remote code execution, then deployed a shell payload known as ghost.sh. Compromised hosts were enrolled into a cryptomining and proxy botnet, with XMRig used for Monero mining and lolMiner used for Conflux mining, alongside Hysteria v2 proxy functionality. Reported infrastructure included 77.110.96.200, mining pools xmr.kryptex.network:8029 and cfx.kryptex.network:8027, Monero wallet 4BBj3gj4oV7iRikNHDgtETDFRm8Z6kG7diVMo8mDz4zcUiXogiF8chHRKK1THWW43zc8XbGYLfU4rbgeyWYaGpWG4ePiGt4, and Conflux wallet cfx:aaj5xbzcjukme1942fhgxsrxtnf92x7j3adxwu9sns. Persistence and evasion in that campaign included memfd_create-based fileless execution, /dev/shm fallback, an LD_PRELOAD rootkit, watchdog restoration, scattered backups, immutable file flags via chattr +i, and anti-competition logic.

The content also associates lolMiner with TeamTNT activity and with the ShadowHS Linux intrusion framework. TeamTNT is described as using lolMiner, RainbowMiner, and XMRig in cloud, container, Docker, and Kubernetes-focused cryptomining operations. ShadowHS is described as implementing CPU and GPU mining workflows including XMRig, XMR-Stak, GMiner, and lolMiner, with pool failover logic, alongside credential theft, lateral movement, and covert exfiltration capabilities.

Overall, based on the provided content, lolMiner should be understood not as bespoke malware but as a legitimate GPU miner frequently repurposed by threat actors as a final-stage payload in financially motivated cryptojacking campaigns targeting high-performance systems, Linux/cloud workloads, containers, and exposed AI infrastructure.