Skip to main content
Mallory
Back to threat actors
2 malware familiesExploits CVEs in the wild

LemonDuck

Also known asLemonDuck

LemonDuck is a threat actor and associated coin-mining malware operation first discovered in 2019. The provided content identifies it as one of at least four threat actors exploiting HTTP File Server (HFS) CVE-2024-23692 to compromise exposed systems and install XMRig Monero miners. In the observed HFS exploitation activity, LemonDuck-associated intrusions also installed XenoRAT and a vulnerability-scanner script. The content states LemonDuck has exploited various vulnerabilities to attack poorly managed systems. The actor is also linked to attacks against poorly managed, internet-exposed Microsoft SQL Server environments. The content describes LemonDuck using scanning and brute-force or dictionary attacks against weak MS-SQL credentials, as well as self-propagation to poorly managed MS-SQL servers. LemonDuck is specifically noted as using xp_cmdshell and CLR Stored Procedures, including re-registering xp_cmdshell if it is unregistered. A LemonDuck-related SqlShell example, evilclr.dll, provides command execution via an ExecCommand() method. Across the described activity, LemonDuck is associated with post-compromise command execution and staging of coin-miner deployment, particularly XMRig/Monero mining. No additional aliases or sub-groups are provided in the content beyond "lemonduck".

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

4 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

4 of 15 tactics4 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
1 technique
T1595
Active Scanning
TA0002
Execution
1 technique
T1203
Exploitation for Client Execution
TA0011
Command and Control
1 technique
T1071
Application Layer Protocol
TA0040
Impact
1 technique
T1496
Resource Hijacking
ARSENAL

Associated malware families

2 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
XenoRAT“Although XMRig CoinMiner is installed in the end, XenoRAT and a vulnerability scanner script are also installed.”1Mar 18, 2026
XMRig“CoinMiner XMRig, a CoinMiner that mines the Monero cryptocurrency, was the one the most used in the attacks.”1Mar 18, 2026
WEAPONIZED

Associated vulnerabilities

1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.

CVE-2024-23692Unauthenticated RCE in Rejetto HTTP File Server via Template InjectionIn the wildEvidence1

In May 2024, a remote code execution vulnerability (CVE-2024-23692) in HFS was announced... the Proof of Concept (PoC) was announced... threat actor can exploit the CVE-2024-23692 vulnerability after scanning the externally exposed HFS service to install malware or obtain control.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping4

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal2

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs1

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.