PureMiner
PureMiner is a stealthy .NET cryptominer associated with the PureCoder malware suite and observed in financially motivated campaigns. Reporting links it to REF1695, which has used fake software installers and ISO lures since at least November 2023 to deploy PureMiner alongside payloads such as PureRAT, custom .NET-based XMRig loaders, CNB Bot, and SilentCryptoMiner. PureMiner has also been delivered in phishing campaigns, including SVG/CHM/HTA-based intrusion chains impersonating Ukrainian government entities, where CountLoader was used to deliver both Amatera Stealer and PureMiner.
High-confidence descriptions characterize PureMiner as a hidden, stealth, silent miner used to mine cryptocurrency for the threat actor’s wallet; one source explicitly states it can automatically mine ETHW or BTC. Other reporting identifies the decrypted payload as a stealthy .NET cryptominer. In FortiGuard’s Ukraine-focused campaign, PureMiner was implemented in .NET with Ahead-of-Time compilation, stored encrypted in the .rdata section, decrypted, and injected into a newly created .NET Framework tool process via process hollowing. It can deploy CPU-based or GPU-based mining modules depending on attacker configuration.
Observed behavior includes system and hardware profiling prior to mining. PureMiner collects system information, including video adapter specifications and usage details, checks for at least 4 GB of memory, queries video adapter information from the Windows registry, and uses AMD Display Library APIs (atiadlxx.dll/atiadlxy.dll) and NVIDIA APIs (nvapi.dll/nvapi64.dll) to gather GPU memory details. Separate Elastic reporting notes PureMiner dynamically loaded atiadlxx.dll, atiadlxy.dll, and nvapi64.dll, consistent with GPU hardware profiling. PureMiner communicates with command-and-control infrastructure, sending serialized victim information and receiving serialized commands; FortiGuard reported its C2 traffic is encrypted with 3DES. Elastic reported C2 domains including wndlogon.hopto[.]org, wndlogon.itemdb[.]com, wndlogon.ydns[.]eu, and wndlogon.kozow[.]com, and a mutex/comms key of 4c271ad41ea2f6a44ce8d0.
Capabilities directly described in the reporting include downloading and executing additional payloads, removing persistence, monitoring for analysis tools, checking the active window, and detecting system idleness. Analysis-tool monitoring specifically referenced Task Manager, SystemInformer, Process Hacker, Process Explorer, and Perfmon. Campaign context also shows operators disabling Windows sleep and hibernation to maximize mining uptime.
Targeting in the provided content is primarily Windows systems. Campaigns distributing PureMiner were financially motivated and aimed at monetization through cryptomining, with some operations also pairing it with credential theft malware such as Amatera Stealer. The malware is part of a broader commoditized ecosystem marketed under the PureCoder brand, which also includes PureLogs, PureCrypter, PureHVNC, and PureRAT.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
REF1695 also leveraged ISO lures to spread the PureMiner and PureRAT payloads...
PureMiner This is a hidden stealth silent miner; an attacker can use it for bots or spread it, and it will automatically mine ETHW or BTC to TAs wallet.
Techniques & procedures
8 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueThese attacks leverage an ISO file as the infection vector to deliver a .NET Reactor-protected loader
Execution
3 techniquesTTP MITRE Technique Description Python-Based Infostealer Payload T1059.006 – Command and Scripting Interpreter: Python Core PXA Stealer signature across all known campaigns
Beyond the C2 infrastructure, the threat actor abuses GitHub as a payload delivery CDN, hosting staged binaries across two identified accounts
These attacks leverage an ISO file as the infection vector to deliver a .NET Reactor-protected loader and a text file with explicit instructions to the user to bypass Microsoft Defender SmartScreen protections against running unrecognized applications by clicking on "More info" and "Run anyway."
Stealth
2 techniquesThreat operation REF1695 has been harnessing counterfeit installers to facilitate multiple attack campaigns delivering remote access trojans and cryptocurrency mining malware since November 2023.
Discovery
1 techniqueFields sent on every request: ... cpu processor name from the registry, gpu GPU name(s) from registry, gpu_type yes (discrete) / no (integrated)
Collection
1 techniqueWhile most recent campaigns involved a fake ISO file that distributed a .NET Reactor-protected loader and text file facilitating the eventual deployment of the CNB Bot implant... REF1695 also leveraged ISO lures to spread the PureMiner and PureRAT payloads...
Command and Control
1 techniqueBeyond the C2 infrastructure, the threat actor abuses GitHub as a payload delivery CDN, hosting staged binaries across two identified accounts.
IOCs tracked for this family
5 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
14 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Cryptocurrency mining malware delivered via counterfeit installer and ISO lure campaigns.
A cryptocurrency miner delivered through ISO lure-based campaigns associated with REF1695.
A mining malware component with a PE loader similar to PureRAT. It uses Protobuf-serialized configuration, communicates with multiple C2 servers, and performs GPU hardware profiling by loading AMD and NVIDIA libraries, consistent with cryptomining activity.
A miner payload added in some campaigns by the same threat actor.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.