#coinminer — Public Fediverse posts

Q1 2026 malware statistics report for Windows web servers

Analysis of Windows web server attacks during Q1 2026 reveals that Internet Information Services (IIS) and Apache Tomcat servers face persistent threats through web shell exploitation. The Larva-26001 threat actor has been targeting domestic IIS servers for several years, deploying privilege escalation tools including JuicyPotato, BadPotato, and exploiting CVE-2019-1458. Following privilege escalation, attackers utilize port-forwarding tools like HTran and PortTranC to redirect traffic to RDP port 3389, enabling remote control of compromised systems. Attack vectors include file upload vulnerabilities, Web Framework-WAS vulnerabilities, and unpatched RCE services. Additional malicious activities involve deployment of backdoors, CoinMiners, and proxy tools for internal network compromise.

Pulse ID: 69de008da466f2dc89165990
Pulse Link: https://otx.alienvault.com/pulse/69de008da466f2dc89165990
Pulse Author: AlienVault
Created: 2026-04-14 08:53:33

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#APAC #Apache #BackDoor #CoinMiner #CyberSecurity #ICS #InfoSec #Malware #OTX #OpenThreatExchange #Proxy #RCE #RDP #Tomcat #Windows #bot #AlienVault

Q1 2026 Malware Statistics Report for Linux SSH Servers

Analysis of attacks against Linux SSH servers during Q1 2026 reveals P2PInfect worm as the dominant threat, representing 70.3% of all attack sources. DDoS botnets including Mirai, XMRig, Prometei, and CoinMiner were identified as primary threats. A notable campaign involved installing V2Ray proxy tools on compromised systems, attributed to a suspected Chinese threat actor. Attackers employed SSH brute-force techniques to gain access, executed reconnaissance commands to assess system information, and deployed V2Ray for proxy node operations. The campaign targeted poorly secured SSH servers with weak credentials, emphasizing the need for strong password policies, access controls, and network monitoring to detect unusual outbound connections and proxy-related activities.

Pulse ID: 69de00c30406a5cbb6ba9eef
Pulse Link: https://otx.alienvault.com/pulse/69de00c30406a5cbb6ba9eef
Pulse Author: AlienVault
Created: 2026-04-14 08:54:27

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Chinese #CoinMiner #CyberSecurity #DDoS #DoS #ICS #InfoSec #Linux #Malware #Mirai #OTX #OpenThreatExchange #Password #Proxy #RAT #RCE #SSH #Word #Worm #bot #botnet #AlienVault

Analysis of #Koske #miner.

It is an AI-generated #Linux #malware which was hidden in images with pandas. It supports wide variety of coinminers for various cryptocurrencies and for GPU and different CPU architectures. Its another component, #rootkit #hideproc, tries to hide the Koske miner from file listings and processes.

https://malwarelab.eu/posts/koske-panda-ai/

Video from #anyrun analysis:

https://www.youtube.com/watch?v=1OSPp996XQ4

#koskeminer #coinminer #blueteam #cybersecurity #dfir #malwareanalysis #infosec #reverseengineering

Supershell Malware Being Distributed to Linux SSH Servers

A Chinese-developed Go-based backdoor called Supershell is targeting poorly managed Linux SSH servers. The malware, which supports multiple platforms, primarily functions as a reverse shell for remote system control. Attackers use dictionary attacks from various IP addresses to gain access, then install Supershell directly or via a downloader script. The malware is downloaded from web and FTP servers. While Supershell is the initial payload for control hijacking, XMRig Monero CoinMiners are often installed alongside it, suggesting cryptocurrency mining as the ultimate goal. To protect against such attacks, administrators should use strong passwords, update systems regularly, and implement security measures like firewalls.

Pulse ID: 66ed5aecd1c4b20f7441ddef
Pulse Link: https://otx.alienvault.com/pulse/66ed5aecd1c4b20f7441ddef
Pulse Author: AlienVault
Created: 2024-09-20 11:22:20

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Chinese #CoinMiner #CyberSecurity #InfoSec #Linux #Malware #OTX #OpenThreatExchange #Password #Passwords #RAT #SSH #Word #bot #cryptocurrency #AlienVault

📬 PS4-Emulator installiert CoinMiner XMRig
#Malware #AhnLabSecurity #ASEC #CoinMiner #Playstation #PS4Emulator #XMRig https://sc.tarnkappe.info/2aa3fe

Report from #AhnLab indicates a new cryptocurrency miner is attacking Linux servers https://www.linux-magazine.com/Online/News/Linux-Machines-with-Poorly-Secured-SSH-Servers-are-Under-Attack #Linux #security #crypto #SSH #server #malware #DDOSbot #CoinMiner #ASEC

#Typosquat alert: Someone set up a #fake site that mimics Sophos branding on Sopbos[.]com and that site delivers a #malware #coinminer installer called SophosInstaller.exe

If you work on a team with a #domain #reputation service or feature, please mark that domain as #malicious.

Let's all work to render this kind of garbage, and their domain registration, utterly useless. #FAFO

Some of the final payloads overlap with previously-reported threats, such as #Truebot (#downloader, often linked to Cl0p #ransomware), #Buhti (ransomware), #MoneroOcean (a #coinminer, discussed here: https://news.sophos.com/en-us/2021/12/02/two-flavors-of-tor2mine-miner-dig-deep-into-networks-with-powershell-vbscript/), and #Mirai (a #botnet #worm).

One such example of a #miner, shown in the screenshot below, details the commands to terminate the processes and services used by other, competing malicious miners before launching their own #Monero (#XMR) mining software. This cynical form of 'capture the flag' is commonplace behavior among the threat actor groups who deploy and maintain hostile miners.

5/6

I've come across this interesting article by AhnLab about how SHC is being used to deploy malicious payloads on GNU/Linux systems: "Shc Linux Malware Installing CoinMiner".

https://asec.ahnlab.com/en/45182/

A nice reason to spend some time on this as follows in this thread.

#ThreatIntelligence #Mitre #T1496 #GNU #Linux #Coinminer

Uuund ein weiterer Antrag auf Förderung der abgelehnt wurde. An manchen Tagen fühlt es sich so an als wäre alles oberhalb von Fussball oder Schützenverein in #Unna uninteressant. Wir machen dennoch weiter bis uns das Geld ausgeht. Plan B: wir verteilen #coinminer USB Sticks😎