#cryptominer — Public Fediverse posts

Poisoning the well: AI supply chain attacks on Hugging Face and OpenClaw

Threat actors are actively exploiting AI distribution platforms like Hugging Face and ClawHub to deliver malware by embedding malicious code within models, datasets, and agent extensions. Over 575 malicious skills across 13 developer accounts were identified in the OpenClaw ecosystem, targeting Windows and macOS with trojans, cryptominers, and AMOS stealer. Attackers abuse trust relationships between users and AI platforms through indirect prompt injection, where hidden instructions cause AI agents to execute malicious actions on behalf of users. Trojanized skills masquerade as legitimate tools while instructing users to execute encoded commands or install hidden malicious dependencies. On Hugging Face, repositories host payloads within multistep infection chains disguised as legitimate applications. These campaigns employ social engineering, obfuscation, encryption, in-memory execution, process injection, and persistence techniques to evade detection while establishing covert command-and-control communica...

Pulse ID: 6a01c2363e7f67fcbed473cb
Pulse Link: https://otx.alienvault.com/pulse/6a01c2363e7f67fcbed473cb
Pulse Author: AlienVault
Created: 2026-05-11 11:49:10

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AMOS #CryptoMiner #CyberSecurity #Encryption #HuggingFace #InfoSec #Mac #MacOS #Malware #OTX #OpenThreatExchange #Rust #SocialEngineering #SupplyChain #Trojan #Windows #bot #AlienVault

PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale

PCPJack is a sophisticated credential theft framework that propagates across exposed cloud infrastructure while systematically removing artifacts linked to TeamPCP, a threat actor behind notable 2026 supply chain compromises. The toolset harvests credentials from cloud platforms, containers, developer tools, productivity applications, and financial services, exfiltrating data through attacker-controlled infrastructure. It targets exposed Docker, Kubernetes, Redis, MongoDB, RayML services and vulnerable web applications, enabling external propagation and lateral movement. Unlike typical cloud malware, PCPJack deploys no cryptominers, focusing instead on credential theft for monetization through fraud, spam campaigns, extortion, or access resale. The framework uses modular Python scripts orchestrated by a central component, employs Common Crawl data for target selection, and utilizes Telegram for command and control communications.

Pulse ID: 69fd0520d3687243cca2f973
Pulse Link: https://otx.alienvault.com/pulse/69fd0520d3687243cca2f973
Pulse Author: AlienVault
Created: 2026-05-07 21:33:20

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CryptoMiner #CyberSecurity #Docker #Extortion #InfoSec #Malware #OTX #OpenThreatExchange #Python #RAT #Redis #Spam #SupplyChain #Telegram #Troll #Worm #bot #AlienVault

PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale

PCPJack is a sophisticated credential theft framework that propagates across exposed cloud infrastructure while systematically removing artifacts linked to TeamPCP, a threat actor behind notable 2026 supply chain compromises. The toolset harvests credentials from cloud platforms, containers, developer tools, productivity applications, and financial services, exfiltrating data through attacker-controlled infrastructure. It targets exposed Docker, Kubernetes, Redis, MongoDB, RayML services and vulnerable web applications, enabling external propagation and lateral movement. Unlike typical cloud malware, PCPJack deploys no cryptominers, focusing instead on credential theft for monetization through fraud, spam campaigns, extortion, or access resale. The framework uses modular Python scripts orchestrated by a central component, employs Common Crawl data for target selection, and utilizes Telegram for command and control communications.

Pulse ID: 69fd0520d3687243cca2f973
Pulse Link: https://otx.alienvault.com/pulse/69fd0520d3687243cca2f973
Pulse Author: AlienVault
Created: 2026-05-07 21:33:20

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CryptoMiner #CyberSecurity #Docker #Extortion #InfoSec #Malware #OTX #OpenThreatExchange #Python #RAT #Redis #Spam #SupplyChain #Telegram #Troll #Worm #bot #AlienVault

PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale

PCPJack is a sophisticated credential theft framework that propagates across exposed cloud infrastructure while systematically removing artifacts linked to TeamPCP, a threat actor behind notable 2026 supply chain compromises. The toolset harvests credentials from cloud platforms, containers, developer tools, productivity applications, and financial services, exfiltrating data through attacker-controlled infrastructure. It targets exposed Docker, Kubernetes, Redis, MongoDB, RayML services and vulnerable web applications, enabling external propagation and lateral movement. Unlike typical cloud malware, PCPJack deploys no cryptominers, focusing instead on credential theft for monetization through fraud, spam campaigns, extortion, or access resale. The framework uses modular Python scripts orchestrated by a central component, employs Common Crawl data for target selection, and utilizes Telegram for command and control communications.

Pulse ID: 69fd0520d3687243cca2f973
Pulse Link: https://otx.alienvault.com/pulse/69fd0520d3687243cca2f973
Pulse Author: AlienVault
Created: 2026-05-07 21:33:20

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CryptoMiner #CyberSecurity #Docker #Extortion #InfoSec #Malware #OTX #OpenThreatExchange #Python #RAT #Redis #Spam #SupplyChain #Telegram #Troll #Worm #bot #AlienVault

PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale

PCPJack is a sophisticated credential theft framework that propagates across exposed cloud infrastructure while systematically removing artifacts linked to TeamPCP, a threat actor behind notable 2026 supply chain compromises. The toolset harvests credentials from cloud platforms, containers, developer tools, productivity applications, and financial services, exfiltrating data through attacker-controlled infrastructure. It targets exposed Docker, Kubernetes, Redis, MongoDB, RayML services and vulnerable web applications, enabling external propagation and lateral movement. Unlike typical cloud malware, PCPJack deploys no cryptominers, focusing instead on credential theft for monetization through fraud, spam campaigns, extortion, or access resale. The framework uses modular Python scripts orchestrated by a central component, employs Common Crawl data for target selection, and utilizes Telegram for command and control communications.

Pulse ID: 69fd0520d3687243cca2f973
Pulse Link: https://otx.alienvault.com/pulse/69fd0520d3687243cca2f973
Pulse Author: AlienVault
Created: 2026-05-07 21:33:20

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CryptoMiner #CyberSecurity #Docker #Extortion #InfoSec #Malware #OTX #OpenThreatExchange #Python #RAT #Redis #Spam #SupplyChain #Telegram #Troll #Worm #bot #AlienVault

PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale

PCPJack is a sophisticated credential theft framework that propagates across exposed cloud infrastructure while systematically removing artifacts linked to TeamPCP, a threat actor behind notable 2026 supply chain compromises. The toolset harvests credentials from cloud platforms, containers, developer tools, productivity applications, and financial services, exfiltrating data through attacker-controlled infrastructure. It targets exposed Docker, Kubernetes, Redis, MongoDB, RayML services and vulnerable web applications, enabling external propagation and lateral movement. Unlike typical cloud malware, PCPJack deploys no cryptominers, focusing instead on credential theft for monetization through fraud, spam campaigns, extortion, or access resale. The framework uses modular Python scripts orchestrated by a central component, employs Common Crawl data for target selection, and utilizes Telegram for command and control communications.

Pulse ID: 69fd0520d3687243cca2f973
Pulse Link: https://otx.alienvault.com/pulse/69fd0520d3687243cca2f973
Pulse Author: AlienVault
Created: 2026-05-07 21:33:20

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CryptoMiner #CyberSecurity #Docker #Extortion #InfoSec #Malware #OTX #OpenThreatExchange #Python #RAT #Redis #Spam #SupplyChain #Telegram #Troll #Worm #bot #AlienVault

Untangling a Linux Incident With an OpenAI Twist (Part 2)

A Linux endpoint was simultaneously compromised by at least two distinct threat actors while the developer user relied on OpenAI's Codex AI agent for security remediation. Actor A deployed a cryptominer mining Monero to a private pool. Actor B installed a multi-revenue botnet including XMRig mining, residential proxy services, and bandwidth-selling components with eight different persistence mechanisms. Actor C, potentially affiliated with Actor B, executed mass data exfiltration of 15 categories including SSH keys, cloud credentials, and API tokens. The threat actors exploited CVE-2025-55182 (React2Shell) affecting Next.js and React applications. While Codex identified some threats, it lacked contextual awareness and privileged access needed for comprehensive incident response, creating additional noise that complicated SOC investigation. The endpoint was ultimately secured through managed EDR telemetry and expert SOC analysis.

Pulse ID: 69e95245cf3877ded3870cff
Pulse Link: https://otx.alienvault.com/pulse/69e95245cf3877ded3870cff
Pulse Author: AlienVault
Created: 2026-04-22 22:57:09

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CryptoMiner #CyberSecurity #EDR #Endpoint #InfoSec #Linux #OTX #OpenThreatExchange #Proxy #RAT #SMS #SSH #bot #botnet #AlienVault

Untangling a Linux Incident With an OpenAI Twist

A technology sector organization experienced a multi-actor compromise on a Linux endpoint where cryptominers were deployed and credential harvesting occurred. The incident became complex when the legitimate user attempted to troubleshoot suspected malicious activity using OpenAI's Codex AI agent while threat actors remained active on the system. The EDR agent was installed mid-compromise, limiting historical visibility. Codex-generated commands created investigative challenges as they mimicked attacker techniques, triggering security detections and complicating the distinction between legitimate troubleshooting and malicious activity. While Codex helped terminate some malicious processes, it failed to provide complete remediation, allowing threat actors to continue exfiltrating credentials, tokens, and cloud metadata through multiple persistence mechanisms.

Pulse ID: 69e2417e5e4fdd5f16c75dbe
Pulse Link: https://otx.alienvault.com/pulse/69e2417e5e4fdd5f16c75dbe
Pulse Author: AlienVault
Created: 2026-04-17 14:19:42

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CredentialHarvesting #CryptoMiner #CyberSecurity #EDR #Endpoint #InfoSec #Linux #Mimic #OTX #OpenThreatExchange #RAT #SMS #bot #AlienVault

Watch out as new .NET AOT malware hides its code as a black box, making detection far harder while delivering Rhadamanthys infostealer and crypto miner.

Read: https://hackread.com/net-aot-malware-code-black-box-evade-detection/

#CyberSecurity #Rhadamanthys #InfoStealer #CryptoMiner

I had a chance last week to chat with Benjamin Read of #Wiz. Last month, Read and other members of his team published a deep dive into the #React2Shell
(CVE-2025-55182) vulnerability, and I was curious to see what has been hitting my honeypot, so I took a closer look.

This is doing some weird stuff, friends.

As is normally the case with exploits targeting internet-facing devices, once the exploit becomes known, it ends up in the automated scanners used by threat actors and security researchers. What I've seen over the past week is a combination of both.

In just a few hours of operation, I identified a small number of source IP addresses exploiting React2Shell by pointing the vulnerable system at URLs hosting BASH scripts. These scripts are really familiar to anyone who routinely looks at honeypot data - they contain a series of commands that pull down and execute malicious payloads.

And as I've seen in the past, some of these payloads use racially inflammatory language in their malware. It's weird and gross, but unfortunately, really common.

But while most of these payloads were "the usual suspects" - remote shells, cryptocurrency miners - there was one payload that stuck out.

It's an exploit file, based on this proof-of-concept [https://github.com/iotwar/FIVEM-POC/blob/main/fivem-poc.py] designed to DDoS a modded server running "FiveM," a popular version of the game Grand Theft Auto V.

Let that one sink in: among the earliest adopters of a brand new exploit are...people trying to mess with other people's online game servers.

I've long said that exploits like these are the canaries in the datacenter coal mine. After all, if an attacker can force your server to run a cryptominer (or a game DDoS tool), they can force it to run far more malicious code.

I guess someone, or a group of someones, just want to ruin everyone's good time, no matter how or what form that takes. And they'll do it in the most offensive way possible.

Anyway, patch your servers, please, if only to stick it to these people who want to be the reason we can't have nice things.

#PoC #exploit #CVE_2025_55182 #DDoS #FiveM #REACT #Bash #cryptominer #malware

Dormant Bitcoin Whale With $442M Awakens for First Time in 14 Years Amid Quantum Fears - 14-year-old wallet moves $16.6M in BTC as analyst weigh security concerns and shifting on... - https://www.coindesk.com/markets/2025/10/24/dormant-bitcoin-whale-with-usd442m-awakens-for-first-time-in-14-years-amid-quantum-fears #cryptominer #markets #bitcoin #news

Crypto Miner TeraWulf to Raise $3B in Google-Backed Debt Deal to Expand Data Centers - Crypto mining firm TeraWulf (WULF) is planning to raise $3 billion in debt to expand its ... - https://www.coindesk.com/business/2025/09/27/crypto-miner-terawulf-to-raise-usd3b-in-google-backed-debt-deal-to-expand-data-centers #artificialintelligence #cryptominer #datacenters #finance #google #news

Crypto Miner in hotio/qbittorrent

https://apogliaghi.com/2025/09/crypto-miner-in-hotio/qbittorrent/

#HackerNews #CryptoMiner #hotio #qbittorrent #cryptocurrency #technology

New Malware Uses Windows Character Map for Cryptomining https://hackread.com/new-malware-uses-windows-character-map-cryptomining/ #Cryptocurrency #Cryptojacking #Cryptomining #Cryptominer #CyberAttack #PowerShell #Darktrace #Security #Malware #NBMiner #Windows #Autolt

New Malware Uses Windows Character Map for Cryptomining – Source:hackread.com https://ciso2ciso.com/new-malware-uses-windows-character-map-for-cryptomining-sourcehackread-com/ #1CyberSecurityNewsPost #CyberSecurityNews #Cryptocurrency #Cryptojacking #Cryptomining #Cryptominer #CyberAttack #PowerShell #Darktrace #Hackread #security #malware #NBMiner #Windows #Autolt

Years Long Linux Cryptominer Spotted Using Legit Sites to Spread Malware https://hackread.com/linux-cryptominer-using-legit-sites-to-spread-malware/ #Cybersecurity #Vulnerability #Cryptominer #VulnCheck #Security #Linuxsys #Malware #Windows #Monero #XMR

Years Long Linux Cryptominer Spotted Using Legit Sites to Spread Malware – Source:hackread.com https://ciso2ciso.com/years-long-linux-cryptominer-spotted-using-legit-sites-to-spread-malware-sourcehackread-com/ #1CyberSecurityNewsPost #CyberSecurityNews #cybersecurity #Vulnerability #Cryptominer #VulnCheck #Hackread #Linuxsys #security #malware #Windows #Monero #XMR

A Linux cryptominer has been quietly spreading malware for years by hijacking legit websites with SSL certs.

🔗 https://hackread.com/linux-cryptominer-using-legit-sites-to-spread-malware/

#CyberSecurity #Linux #Cryptominer #Malware #Crypto

Finally completed my rebuild of my #Grafana #prometheus #vps stack.

The old one was hosed in a 3 month battle with a #cryptominer
It was #docker but they kept fucking the Prometheus container.

I rebuild everything from scratch. The panels are integrated into a single JSON file, rather than in libraries.

The stack is now #podman. Rootless execution.
But I couldn't get it to get #cadvisor to feed it.
So I got a dodgy scraper script.
But even with nice, it loads the low tier VPS to 14%

#selfhosting

Every #appliance that's job is to get hot should be a #cryptoMiner or a #heatPump

#electronics #technology #bitcoin #cryptocurrency #crypto #appliances #home

Tether Raises Bitdeer Stake to 21%: SEC Filing - Tether, the issuer of the USDT stablecoin, increased its holdings in bitcoin (BTC) miner ... - https://www.coindesk.com/markets/2025/03/18/tether-increases-holdings-in-bitdeer-to-20-sec-filing #mergersandacquisitions #cryptominer #markets #bitdeer #tether

Cybercriminals are blackmailing YouTubers with fake copyright claims! 😱 They're threatening creators into distributing malware disguised as download links. A trojanized program installs a cryptominer. ⚠️ Be careful what you download! More info: https://www.techradar.com/pro/security/youtubers-targeted-by-blackmail-campaign-to-promote-malware-on-their-channels #cybersecurity #malware #youtube #cryptominer #newz

Mass exploitation campaign hit 4,000+ ISP networks to deploy info stealers and crypto miners – Source: securityaffairs.com https://ciso2ciso.com/mass-exploitation-campaign-hit-4000-isp-networks-to-deploy-info-stealers-and-crypto-miners-source-securityaffairs-com/ #rssfeedpostgeneratorecho #ITInformationSecurity #SecurityAffairscom #CyberSecurityNews #PierluigiPaganini #SecurityAffairs #SecurityAffairs #BreakingNews #SecurityNews #cryptominer #hackingnews #CyberCrime #Cybercrime #hacking #Malware

CVE-2021-41773 oraz CVE-2021-42013 kończące się kopaniem krypto przez RedTail ( https://nfsec.pl/ai/6597 ) #cryptominer #botnet #redtail #linux #security #twittermigration

https://www.youtube.com/watch?v=XEDgaXtpFRM

Hackers Use CVE-2024-50603 to Deploy Backdoor on Aviatrix Controllers – Source:hackread.com https://ciso2ciso.com/hackers-use-cve-2024-50603-to-deploy-backdoor-on-aviatrix-controllers-sourcehackread-com/ #1CyberSecurityNewsPost #CyberSecurityNews #cybersecurity #Vulnerability #Cryptominer #Aviatrix #backdoor #Hackread #security #RCE

Hackers Use CVE-2024-50603 to Deploy Backdoor on Aviatrix Controllers https://hackread.com/hackers-cve-2024-50603-aviatrix-controllers-backdoor/ #Cybersecurity #Vulnerability #Cryptominer #Security #Aviatrix #backdoor #RCE

Fake Job Offers from CrowdStrike Used by Cybercriminals to Distribute Cryptominer - https://www.redpacketsecurity.com/cybercriminals-use-fake-crowdstrike-job-offers-to-distribute-cryptominer/

#threatintel #cryptominer #CrowdStrike #phishing

Fake CrowdStrike Recruiters Distribute Malware Via Phishing Emails – Source:hackread.com https://ciso2ciso.com/fake-crowdstrike-recruiters-distribute-malware-via-phishing-emails-sourcehackread-com/ #1CyberSecurityNewsPost #CyberSecurityNews #cybersecurity #PhishingScam #CrowdStrike #Cryptominer #Hackread #Phishing #security #malware #Fraud #Scam

Fake CrowdStrike Recruiters Distribute Malware Via Phishing Emails https://hackread.com/fake-crowdstrike-recruiters-malware-phishing-emails/ #Cybersecurity #PhishingScam #CrowdStrike #Cryptominer #Security #Phishing #Malware #Fraud #Scam

Phishers abuse CrowdStrike brand targeting job seekers with cryptominer – Source: securityaffairs.com https://ciso2ciso.com/phishers-abuse-crowdstrike-brand-targeting-job-seekers-with-cryptominer-source-securityaffairs-com/ #rssfeedpostgeneratorecho #informationsecuritynews #ITInformationSecurity #SecurityAffairscom #CyberSecurityNews #PierluigiPaganini #SecurityAffairs #SecurityAffairs #BreakingNews #SecurityNews #CrowdStrike #cryptominer #hackingnews #CyberCrime #Phishing #hacking #Malware

Ultralytics AI Library with 60M Downloads Compromised for Cryptomining – Source:hackread.com https://ciso2ciso.com/ultralytics-ai-library-with-60m-downloads-compromised-for-cryptomining-sourcehackread-com/ #1CyberSecurityNewsPost #CyberSecurityNews #Cryptocurrency #UltralyticsAI #Cryptominer #Hackread #security #malware #Crypto #Python #PyPI

While crypto is dumb, this take on crypto is also dumb.

Arkansas officials halt cryptomine near LR Airbase due to national security concerns
https://katv.com/news/local/arkansas-officials-halt-cryptomine-near-lr-airbase-due-to-national-security-concerns-state-senator-ricky-hill-lonoke-county-judge-doug-erwin-cabot-mayor-ken-kincade-interstate-holdings-arkansas-blockchain-council-benjamin-smith-steven-landers-jr-lrafb
#crypto #cryptocurrency #cryptocult #cryptominer #cryptominers #arkansas #littlerock #ArkansasPolitics

Part 3 of my #cryptominer infection saga.

Being too lazy to secure my infected #prometheus container, I was looking for another way to combat it.
Killing it did now work because it's CnC was bringing it up in under a minute.

My "fix" is inspired if I say so myself.
Is to run a cronjob to set nice setting to the lowest possible
(nice -n 19 xmrig)
This makes the #xmrig crapto miner at the least possible CPU priority.

See if you can see on my attached performance chart, when it kicks in
😁
#infosec

Part 3 of my #cryptominer infection saga.

Being too lazy to secure my infected #prometheus container, I was looking for another way to combat it.
Killing it did now work because it's CnC was bringing it up in under a minute.

My "fix" is inspired if I say so myself.
Is to run a cronjob to set nice setting to the lowest possible
(nice -n 19 xmrig)
This makes the #xmrig crapto miner at the least possible CPU priority.

See if you can see on my attached performance chart, when it kicks in
😁
#infosec

#Linux :tux: -#Malware "#Perfctl" befällt offenbar schon seit Jahren Linux-Server | heise online https://www.heise.de/news/Perfectl-Linux-Malware-laesst-Server-heimlich-Kryptomining-und-mehr-ausfuehren-9963118.html #CryptoMiner #cryptocurrencies #cryptocurrency #Proxy #Loader

Attacks Against Apache NiFi #apache #nifi #ml #cryptominer #bot https://i5c.us/d29900

Introducing the newest major @tidalcyber TTP intelligence content roundup, the Initial Access & Malware Delivery Landscape matrix, now live in our free Community Edition platform: https://app.tidalcyber.com/share/43836024-a194-4ac7-9659-b51e88632e7f

The matrix covers 25 major & emerging #malware typically used to gain early footholds in victim environments, often leading to ingress of more impactful threats, especially #ransomware, #infostealers, cryptominers, & more. It includes many recognizable names (#QakBot, #IcedID, #Emotet, #Bumblebee, #Gootloader) plus several newer and less-discussed threats

The matrix includes 13 custom Technique Sets for threats not currently tracked in the #mitreattack knowledge base. All technique references derive from a large volume of recent, public #threat reporting (click the labels in the ribbon at the top of the matrix to view relevant source URLs for each threat)

An interactive link analysis visualization of connections among these threats, also derived from public reports, is also available here: https://onodo.org/visualizations/235067/

Community Edition matrices support easy identification of shared (and outlier) techniques among multiple threats, and quick & easy overlay or pivoting to defensive & offensive security capabilities relevant to your own #security stack. We’ll have a blog out soon reviewing our analysis of top & trending techniques common among these initial access threats

Tidal’s #Adversary Intelligence team remains focused on providing up-to-date #TTPintelligence, especially around traditionally under-represented yet widely relevant threats like crimeware. Other popular matrices in this theme include our Ransomware & Data Extortion Landscape matrix (https://app.tidalcyber.com/share/9a0fd4e6-1daf-4f98-a91d-b73003eb2d6a) and Major & Emerging Infostealers matrix (https://app.tidalcyber.com/share/ec62f5e0-bd40-476b-a560-7ad2779ea9e3), which each cover 20+ threats

Financially motivated adversaries often display a rapid pace of #TTP evolution, and this is especially apparent for #initialaccess threats. Register for our webinar on May 31 dedicated to TTP evolution, its drivers, and discussion around what defenders can do to address it and its implications: https://hubs.la/Q01NC23k0

#SharedWithTidal #threatinformeddefense #malware #infostealer #cryptominer #IAB #blueteam #detectionengineering #purpleteam #cyber