XMRig
XMRig is an open-source, cross-platform cryptocurrency miner most commonly used to mine Monero, with documented support for RandomX, KawPow, CryptoNight, and GhostRider algorithms on CPU and GPU systems. In the provided reporting it appears repeatedly as the final mining payload or as the basis for modified miner variants used by threat actors across Windows, Linux, and containerized environments.
Observed malicious use cases include deployment through PowerShell scripts, shell scripts, trojanized software distribution pipelines, malicious VS Code extensions, exploitation of internet-facing services and vulnerabilities, and post-compromise activity following RAT or botnet infections. Reported campaigns installed XMRig after disabling or evading security controls, including Windows Defender exclusions and attempts to disable Windows Defender, Malwarebytes, Sophos, and other protections. Some variants were modified or wrapped by loaders and persistence mechanisms, including Windows services, scheduled or idle-triggered execution, cron jobs, systemd services, and renamed binaries such as nginx. One analyzed Windows sample copied itself to C:\Program Files\Hola\HolaMonitorService.exe and created the service hola_monitor_svc; another Blackmoon-linked deployment used WmiPrvSER.exe as XMRig v6.18 and created the mutex BaseNamedObjects\Win__Host.
The content links XMRig deployment to multiple threat clusters and campaigns, including GREYVIBE, TeamPCP-related activity, Blackmoon/KRBanker monetization activity, DreamBus, Prometei, DDG.Mining.Botnet, React2Shell exploitation campaigns, and opportunistic exploitation of VMware Workspace ONE Access/Identity Manager flaws. In several cases it was deployed alongside other malware or tooling such as LegionRelay, PhantomRelay, Sliver, Kaiji, Rustobot, CrossC2, Tactical RMM, VShell, EtherRAT, and credential theft modules. Some campaigns used XMRig not only for monetization but also as an indicator of cybercrime overlap or undisciplined post-compromise behavior.
Notable behaviors and indicators directly mentioned in the content include strings such as "killed orphan miner pid %d," "user active, stopping miner," and "m/cmd/xmrig-idle," indicating an XMRig-based miner implemented in Go; connections to mining-related infrastructure including us[.]zephyr[.]herominers[.]com, xmrig[.]com, and pool.hashvault[.]pro:443; use of modified XMRig payloads; and versions including 5.5.3, 6.18, and 6.24.0. Additional hashes explicitly tied to XMRig-related samples in the content include MD5 859fbbedefc95a90d243a0a9b92d1ae9 for an XMRig binary renamed as nginx in a malicious container image. Overall, the provided material shows XMRig as a widely reused miner payload embedded in diverse intrusion chains for resource hijacking and monetization.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
22 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Ahnlab Security Emergency response Center (ASEC) has recently confirmed that the 8220 Gang attack group is using the Log4Shell vulnerability to install CoinMiner in VMware Horizon servers. Log4Shell (CVE-2021-44228) is both a remote code execution vulnerability and the Java-based logging utility Log4j vulnerability... | If the CVE-2022-26134 vulnerability attack succeeds, the following PowerShell command downloads and executes additional PowerShell scripts and ultimately installs XMRig CoinMiner.
The group targets not only global systems but also Korean ones. ASEC has introduced a case where the attack group abused the Atlassian Confluence server vulnerability CVE-2022-26134 to attack Korean systems and install CoinMiner. | If the CVE-2022-26134 vulnerability attack succeeds, the following PowerShell command downloads and executes additional PowerShell scripts and ultimately installs XMRig CoinMiner.
React2Shell in Russia: ... Most of the attacks deployed XMRig-based cryptominers.
In this cluster of activity, since at least March 25, 2026, an XMRig sample and its accompanying configuration file were downloaded and deployed via a shell script.
In this cluster of activity, since at least March 25, 2026, an XMRig sample and its accompanying configuration file were downloaded and deployed via a shell script.
In this cluster of activity, since at least March 25, 2026, an XMRig sample and its accompanying configuration file were downloaded and deployed via a shell script.
Several devices initiated TCP connections to endpoints affiliated with cryptomining pools such as us[.]zephyr[.]herominers[.]com and xmrig[.]com. Connectivity to these domains indicates likely successful installation of mining software during earlier stages of post-compromise activity.
Several devices initiated TCP connections to endpoints affiliated with cryptomining pools such as us[.]zephyr[.]herominers[.]com and xmrig[.]com. Connectivity to these domains indicates likely successful installation of mining software during earlier stages of post-compromise activity.
CVE-2022-22954, a remote code execution (RCE) vulnerability due to server-side template injection in VMware Workspace ONE Access and Identity Manager, is trivial to exploit with a single HTTP request to a vulnerable device.
Apache RocketMQ Exploit Module (CVE-2023-33246) ... In June 2023, a vulnerability cataloged as CVE-2023-33246 was discovered that enables an attacker to achieve remote command execution (RCE) on RocketMQ versions 5.1.0 and earlier. Shortly after, DreamBus added an exploit module to target this vulnerability.
Metabase Exploit Module (CVE-2023-38646) ... The open source versions of Metabase 0.46.6.1 and earlier, as well as Metabase Enterprise 1.46.6.1 and earlier, are vulnerable to CVE-2023-38646 ... The vulnerability allows an attacker to execute arbitrary commands on the server. The DreamBus exploit targeting the vulnerability is likely based on an open source proof-of-concept.
The attack, at its core, exploits a critical missing authentication bug (CVE-2023-48022, CVSS score: 9.8) to take control of susceptible instances and hijack their computing power for illicit cryptocurrency mining using XMRig.
CVE-2026-20182 carries a CVSSv3.1 score of 10.0 (Critical) and is classified under CWE-287: Improper Authentication. The flaw affects the Cisco Catalyst SD-WAN Controller (formerly vSmart)... The peering authentication mechanism is not functioning correctly, allowing an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on the affected system.
Apr 2024 PAN-OS CVE-2024-3400 exploit integration (Akamai)
Analysis of react.py This script is clearly set to exploit CVE-2025-29927, also known as React2Shell. ... This script implements a fully automated React/Next.js exploitation pipeline centered on abusing CVE-2025-29927 to achieve remote command execution at scale.
Malware campaigns include the Muhstik botnet and XMRig Monero Cryptocurrency mining. | Drupal versions before 7.58... allow remote attackers to execute arbitrary code... Malware campaigns include the Muhstik botnet and XMRig Monero Cryptocurrency mining.
The PoC repository contained a PDF file... downloading and running three files: Xsession.sh → The main malware script; xsession.auth → A disguised Monero miner (XMRig); xprintidle → A utility to detect when the system was idle. | Late at night, I was testing a proof-of-concept (PoC) exploit for CVE-2020-35489 ... The script appears to be a simple Proof-of-Concept (PoC) for an exploit, but in reality, it contains hidden malicious functionality.
“CoinMiner XMRig, a CoinMiner that mines the Monero cryptocurrency, was the one the most used in the attacks.”
"x522, which kills competing miners such as XMRig and Kinsing, and launches the miner with a c3pool.org configuration"
The Kaswara Modern WPBakery Page Builder plugin (CVE-2021-24284) is an example of this. This is a five-year-old unpatched flaw in a long-abandoned plugin that attackers are still actively exploiting right now... This flaw allows an unauthenticated attacker to upload malicious code directly to a vulnerable server and execute it remotely. | "...attackers have been using this vulnerability to take over WordPress websites... to ultimately install unauthorized copies of the XMRig cryptomining software"
The vulnerability, assigned the CVE identifier CVE-2024-4577, refers to an argument injection vulnerability in PHP affecting Windows-based systems running in CGI mode that could allow remote attackers to run arbitrary code.
The vulnerability in question is CVE-2025-32432 ... in Craft CMS
Groups observed using it
20 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
One of the campaigns deployed an XMRig cryptocurrency miner on a small number of infected machines, which is not standard behavior for a disciplined intelligence operation.
Impact T1496 Resource Hijacking TeamPCP kills competing XMRig cryptominers before deploying own payloads
If the CVE-2022-26134 vulnerability attack succeeds, the following PowerShell command downloads and executes additional PowerShell scripts and ultimately installs XMRig CoinMiner.
Cryptominer Deployment The platform deploys a custom cryptomining agent to compromised hosts... Architecture Component Detail Agent Binary multimmm-user (custom Go binary) Miner XMRig (Monero)
In one case, investigators detected the use of XMRig, a legitimate cryptocurrency mining tool, suggesting attackers may have used victims’ computing resources to generate digital currency.
XMRig is an open-source Monero mining application frequently abused by cybercriminals. TeamPCP deploys XMRig on compromised hosts to mine Monero using the victim’s CPU resources without authorization.
XMRig is an open-source Monero mining application frequently abused by cybercriminals. TeamPCP deploys XMRig on compromised hosts to mine Monero using the victim’s CPU resources without authorization.
XMRig is an open-source Monero mining application frequently abused by cybercriminals. TeamPCP deploys XMRig on compromised hosts to mine Monero using the victim’s CPU resources without authorization.
XMRig is an open-source Monero mining application frequently abused by cybercriminals. TeamPCP deploys XMRig on compromised hosts to mine Monero using the victim’s CPU resources without authorization.
CRYSTALRAY has two associated cryptominers... (IoCs include xmrig_arm64 and xmrig_freebsd binaries).
DreamBus botnet was observed leveraging an CVE-2023-33246 exploit to drop XMRig Monero miners on vulnerable servers.
Blue Mockingbird has executed custom-compiled XMRIG miner DLLs by configuring them to execute via the "wercplsupport" service.
It uses XMRig to mine for Monero and makes sure that it uses only 60% of the processing power to evade immediate detection.
“CoinMiner XMRig, a CoinMiner that mines the Monero cryptocurrency, was the one the most used in the attacks.”
"TsunamiHardener... sets up... Microsoft Defender exclusions for TsunamiClient and the XMRig miner"
The code references XMRig, an open-source tool commonly used to mine Monero (XMR), and several Rusich-linked addresses have received funds from mining pools.
The code references XMRig, an open-source tool commonly used to mine Monero (XMR), and several Rusich-linked addresses have received funds from mining pools.
Techniques & procedures
23 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueThe content repeatedly states that threat actors 'obtained,' 'acquired,' or 'used' publicly available, open-source, legitimate, or modified tools such as Mimikatz, Cobalt Strike, PsExec, Empire, Impacket, and many others.
Initial Access
1 techniqueПользователю показывалось сообщение, что версия плагина устарела и для продолжения просмотра необходимо установить обновление. После перехода по ссылке на устройство загружался ZIP-архив.
Execution
6 techniquesThe downloaded PowerShell scripts contain the functionality to disable Windows Defender, Malwarebytes and Sophos anti-malware software, to install modified XMRig cryptocurrency payload and download modules with the intention to steal user credentials from memory and use the credentials to attempt to spread laterally by passing the hash (Invoke-TheHash) through SMB or WMI.
...creates a service with the name hola_monitor_svc, configured to autostart and run when the host is idle.
Overall, attackers can use LoLBins to: Download and install malicious code Executing malicious code... These campaigns can be relatively easily detected by internal hunting teams by analyzing command lines and their options.
Immediately after initial access, the attackers attempted to execute a PowerShell command to download a text file from a C2 server. The text file itself is a PowerShell script designed to install the XMRig cryptominer on the targeted system.
CVE-2022-22954, a remote code execution (RCE) vulnerability due to server-side template injection in VMware Workspace ONE Access and Identity Manager, is trivial to exploit with a single HTTP request to a vulnerable device.
Актуальная версия загружаемого вредоносного ПО представляет собой ZIP-архив, содержащий легитимный .exe-файл и вредоносную DLL-библиотеку. При запуске исполняемого файла библиотека подгружается в его процесс, после чего начинается выполнение вредоносной логики.
Persistence
1 techniquePrivilege Escalation
4 techniques...creates a service with the name hola_monitor_svc, configured to autostart and run when the host is idle.
В конце производятся четыре рефлективные загрузки: компоненты внедряются непосредственно в память целевых процессов без записи на диск... RAT agent → в conhost.exe; Watchdog → в explorer.exe; CPU-майнер → в explorer.exe; GPU-майнер → в explorer.exe.
The encrypted data is then converted into a base64 string, which is passed as a command-line parameter to launch the miner inside the explorer.exe process through process hollowing.
the threat actors used a container escape technique that leverages the CGroup release_agent feature. This technique allows an attacker to break out from the container and compromise the host
Stealth
5 techniquesThe Invoke-Obfuscation module is often used to create polymorphic obfuscated variants... The downloaded code is a reflective DLL loader with randomized function names to avoid simple pattern-based detection engines... This cryptocurrency miner had five deobfuscation stages.
Rather than embedding static configuration files, the malware fetches mining parameters dynamically from the C2 server at runtime... receiving a JSON blob containing wallet addresses, pool URLs, and algorithm settings without creating on-disk artifacts.
During the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.
В конце производятся четыре рефлективные загрузки: компоненты внедряются непосредственно в память целевых процессов без записи на диск... RAT agent → в conhost.exe; Watchdog → в explorer.exe; CPU-майнер → в explorer.exe; GPU-майнер → в explorer.exe.
Discovery
1 techniqueTo do this, it collects the following data from the victim’s device: Processor information The serial number of the C:/ drive Whether the process was launched with elevated privileges The process start time in Unix timestamp format
Lateral Movement
2 techniquesThe downloaded PowerShell scripts contain the functionality to disable Windows Defender, Malwarebytes and Sophos anti-malware software, to install modified XMRig cryptocurrency payload and download modules with the intention to steal user credentials from memory and use the credentials to attempt to spread laterally by passing the hash (Invoke-TheHash) through SMB or WMI.
The downloaded PowerShell scripts contain the functionality to disable Windows Defender, Malwarebytes and Sophos anti-malware software, to install modified XMRig cryptocurrency payload and download modules with the intention to steal user credentials from memory and use the credentials to attempt to spread laterally by passing the hash (Invoke-TheHash) through SMB or WMI.
Command and Control
3 techniquesthe bot performs multi-threaded DNS queries against Google’s public DNS server (8.8.8.8) to resolve the C2 domain baojunwakuang.asia, which maps to 159.75.47.123 and serves both botnet commands and miner configuration through non-standard ports like 60194
Subsequently, this script leverages multiple tool layers to fetch the primary execution bundle.
При этом домен {domain} вычисляется на основе текущей даты... Результатом хэширования является домен, с которым будет коммуницировать имплант.
Impact
1 techniqueThis binary appears to be a crypto-miner... contains several strings relating to crypto-mining activity: “killed orphan miner pid %d” “user active, stopping miner” “m/cmd/xmrig-idle”
Other
2 techniquesIOCs tracked for this family
278 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
200 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A crypto-miner component indicated by an xmrig-related Go module path; the analyzed binary appears to be XMRig-based, performs a Windows Defender exclusion, copies itself as HolaMonitorService.exe, and installs an autostart service that runs when the host is idle.
A crypto-miner component indicated by the embedded Go module path "m/cmd/xmrig-idle," suggesting the undeclared Hola-delivered binary was based on XMRig and used to mine cryptocurrency while attempting persistence and defense evasion.
A cryptocurrency miner deployed on a limited number of infected systems as part of one GREYVIBE campaign.
A cryptocurrency miner deployed on a small subset of LegionRelay-infected systems, indicating overlap with cybercriminal monetization activity.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.