Digging Gold with a Spoon – Resurgence of Monero-mining Malware

SUMMARY :

A resurgence of malware deploying XMRig cryptominer was discovered in mid-April 2025, coinciding with a rally in Monero cryptocurrency value. The malware uses a multi-staged approach and LOLBAS techniques, leveraging Windows tools like PowerShell for payload delivery, detection evasion, and persistence. The attack chain involves three stages: initial infection via a batch file, persistence establishment, and cryptomining execution. The malware targets diverse countries, including Russia, Belgium, Greece, and China. It disables Windows Update services, evades Windows Defender, and uses scheduled tasks for persistence. The XMRig miner creates registry entries and drops files for continued operation. Despite its simple, unobfuscated nature, the malware proved effective in avoiding detection.

OPENCTI LABELS :

powershell,cryptomining,xmrig,monero,persistence,lolbas,windows defender evasion


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Digging Gold with a Spoon – Resurgence of Monero-mining Malware