CryptoMalware - description
- Last Updated: May 1, 2026
- 2 minute read
- Flowmon Products
- Flowmon Anomaly Detection System
- Documentation
Sources:
General Cryptocurrency Mining Malware Information:
- Digmine cryptocurrency miner spreading via Facebook Messenger
- Cryptocurrency mining malware overview
- Cryptomining: Harmless nuisance or disruptive threat?
- Smominru Monero mining botnet making millions for operators
- Jenkins Miner: One of the biggest mining operations ever discovered
Threat Analysis for Specific Mining Malware Campaigns:
- FacexWorm targets cryptocurrency trading platforms, abuses Facebook Messenger for propagation
- Monero mining Retadup worm goes polymorphic, gets an AutoHotkey variant
- Cryptocurrency mining bot targets devices with running SSH service via potential scam site
- Cryptocurrency miner distributed via PHP Weathermap vulnerability targets Linux servers
- Attackers using remote coding execution vulnerabilities to install cryptocurrency miners on vulnerable hosts
- Cryptocurrency miner spreads via old vulnerabilities on Elasticsearch
- Linux coin miner copied scripts from KORKERDS, removes all other malware and miners
- Monero miner malware uses RADMIN and MIMIKATZ to infect and propagate via vulnerability
- Miner malware spreads beyond China, uses multiple propagation methods including EternalBlue and PowerShell abuse
- BlackSquid slithers into servers and drives with 8 notorious exploits to drop XMRig miner
- Monero mining malware PCASTLE zeroes back in on China, now uses multilayered fileless arrival techniques
- CVE-2019-2725 exploited and certificate files used for obfuscation to deliver Monero miner
- Advanced targeted attack tools used to distribute cryptocurrency miners
- Outlaw hacking group's botnet observed spreading miner and Perl-based backdoor
- Cryptocurrency mining botnet arrives through ADB and spreads through SSH
- Golang-based spreader used in a cryptocurrency mining malware campaign
- ShadowGate returns to worldwide operations with evolved GreenFlash Sundown exploit kit
- Old tools for new money: URL spreading Shellbot and XMRig using 17-year-old XHide
- Purple Fox fileless malware with rootkit component delivered by RIG exploit kit now abuses PowerShell
- Skidmap Linux malware uses rootkit capabilities to hide cryptocurrency mining payload
- Fileless cryptocurrency miner GhostMiner weaponizes WMI objects, kills other cryptocurrency mining payloads
This pattern detects various crypto malware campaigns that install mining software on victims' computers to mine cryptocurrency for the attackers. This malware consumes the victim's CPU resources for mining. Users often notice their computers running significantly slower than normal.
Flowmon ADS detects when systems download this malware or communicate with command and control (C&C) servers and mining pools.
