#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News
State of SaaS

Cryptomining | Breaking Cybersecurity News | The Hacker News

Category — Cryptomining
CrowdStrike Warns of Phishing Scam Targeting Job Seekers with XMRig Cryptominer

CrowdStrike Warns of Phishing Scam Targeting Job Seekers with XMRig Cryptominer

Jan 10, 2025 Cryptomining / Malware
Cybersecurity company CrowdStrike is alerting of a phishing campaign that exploits its own branding to distribute a cryptocurrency miner that's disguised as an employee CRM application as part of a supposed recruitment process. "The attack begins with a phishing email impersonating CrowdStrike recruitment, directing recipients to a malicious website," the company said . "Victims are prompted to download and run a fake application, which serves as a downloader for the cryptominer XMRig." The Texas-based company said it discovered the malicious campaign on January 7, 2025, and that it's "aware of scams involving false offers of employment with CrowdStrike." The phishing email lures recipients by claiming that they have been shortlisted for the next stage of the hiring process for a junior developer role, and that they need to join a call with the recruitment team by downloading a customer relationship management (CRM) tool provided in the embedd...
Ultralytics AI Library Compromised: Cryptocurrency Miner Found in PyPI Versions

Ultralytics AI Library Compromised: Cryptocurrency Miner Found in PyPI Versions

Dec 07, 2024 Supply Chain Attack / Cryptocurrency
In yet another software supply chain attack, it has come to light that two versions of a popular Python artificial intelligence (AI) library named ultralytics were compromised to deliver a cryptocurrency miner. The versions, 8.3.41 and 8.3.42, have since been removed from the Python Package Index (PyPI) repository. A subsequently released version has introduced a security fix that "ensures secure publication workflow for the Ultralytics package." The project maintainer, Glenn Jocher, confirmed on GitHub that the two versions were infected by malicious code injection in the PyPI deployment workflow after reports emerged that installing the library led to a drastic spike in CPU usage , a telltale sign of cryptocurrency mining. The most notable aspect of the attack is that bad actors managed to compromise the build environment related to the project to insert unauthorized modifications after the completion of the code review step, thus leading to a discrepancy in the so...
Product Walkthrough: How Reco Discovers Shadow AI in SaaS

Future-Ready Trust: Learn How to Manage Certificates Like Never Before

WebinarTrust Management / SSL Certificate
Managing digital trust shouldn't feel impossible. Join us to discover how DigiCert ONE transforms certificate management—streamlining trust operations, ensuring compliance, and future-proofing your digital strategy.
Cybercriminals Exploit Popular Game Engine Godot to Distribute Cross-Platform Malware

Cybercriminals Exploit Popular Game Engine Godot to Distribute Cross-Platform Malware

Nov 28, 2024 Windows Security / Cryptomining
A popular open-source game engine called Godot Engine is being misused as part of a new GodLoader malware campaign, infecting over 17,000 systems since at least June 2024. "Cybercriminals have been taking advantage of Godot Engine to execute crafted GDScript code which triggers malicious commands and delivers malware," Check Point said in a new analysis published Wednesday. "The technique remains undetected by almost all antivirus engines in VirusTotal." It's no surprise that threat actors are constantly on the lookout for new tools and techniques that can help them deliver malware while sidestepping detection by security controls, even as defenders continue to erect new guardrails. The newest addition is Godot Engine , a game development platform that allows users to design 2D and 3D games across platforms , including Windows, macOS, Linux, Android, iOS, PlayStation, Xbox, Nintendo Switch, and the web. The multi-platform support also makes it an attract...
cyber security

2024: A Year of Identity Attacks | Get the New eBook

websitePush SecurityIdentity Security
Prepare to defend against identity attacks in 2025 by looking back at identity-based breaches in 2024.
New Perfctl Malware Targets Linux Servers for Cryptocurrency Mining and Proxyjacking

New Perfctl Malware Targets Linux Servers for Cryptocurrency Mining and Proxyjacking

Oct 03, 2024 Linux / Malware
Misconfigured and vulnerable Linux servers are the target of an ongoing campaign that delivers a stealthy malware dubbed perfctl with the primary aim of running a cryptocurrency miner and proxyjacking software. "Perfctl is particularly elusive and persistent, employing several sophisticated techniques," Aqua security researchers Assaf Morag and Idan Revivo said in a report shared with The Hacker News. "When a new user logs into the server, it immediately stops all 'noisy' activities, lying dormant until the server is idle again. After execution, it deletes its binary and continues to run quietly in the background as a service." It's worth noting that some aspects of the campaign were disclosed last month by Cado Security, which detailed an activity cluster that targets internet-exposed Selenium Grid instances with both cryptocurrency mining and proxyjacking software. Specifically, the fileless perfctl malware has been found to exploit a security ...
New Cryptojacking Attack Targets Docker API to Create Malicious Swarm Botnet

New Cryptojacking Attack Targets Docker API to Create Malicious Swarm Botnet

Oct 01, 2024 Cryptojacking / Docker Security
Cybersecurity researchers have uncovered a new cryptojacking campaign targeting the Docker Engine API with the goal of co-opting the instances to join a malicious Docker Swarm controlled by the threat actor. This enabled the attackers to "use Docker Swarm's orchestration features for command-and-control (C2) purposes," Datadog researchers Matt Muir and Andy Giron said in an analysis. The attacks leverage Docker for initial access to deploy a cryptocurrency miner on compromised containers, while also fetching and executing additional payloads that are responsible for conducting lateral movement to related hosts running Docker, Kubernetes, or SSH. Specifically, this involves identifying unauthenticated and exposed Docker API endpoints using Internet scanning tools, such as masscan and ZGrab . On vulnerable endpoints, the Docker API is used to spawn an Alpine container and then retrieve an initialization shell script (init.sh) from a remote server ("solscan[.]liv...
PHP Vulnerability Exploited to Spread Malware and Launch DDoS Attacks

PHP Vulnerability Exploited to Spread Malware and Launch DDoS Attacks

Jul 11, 2024 Cyber Attack / Vulnerability
Multiple threat actors have been observed exploiting a recently disclosed security flaw in PHP to deliver remote access trojans, cryptocurrency miners, and distributed denial-of-service (DDoS) botnets. The vulnerability in question is CVE-2024-4577 (CVSS score: 9.8), which allows an attacker to remotely execute malicious commands on Windows systems using Chinese and Japanese language locales. It was publicly disclosed in early June 2024. "CVE-2024-4577 is a flaw that allows an attacker to escape the command line and pass arguments to be interpreted directly by PHP," Akamai researchers Kyle Lefton, Allen West, and Sam Tinklenberg said in a Wednesday analysis. "The vulnerability itself lies in how Unicode characters are converted into ASCII." The web infrastructure company said it began observing exploit attempts against its honeypot servers targeting the PHP flaw within 24 hours of it being public knowledge. This included exploits designed to deliver a remote...
Alert: OracleIV DDoS Botnet Targets Public Docker Engine APIs to Hijack Containers

Alert: OracleIV DDoS Botnet Targets Public Docker Engine APIs to Hijack Containers

Nov 14, 2023 Cloud Security / Malware
Publicly-accessible Docker Engine API instances are being targeted by threat actors as part of a campaign designed to co-opt the machines into a distributed denial-of-service (DDoS) botnet dubbed  OracleIV . "Attackers are exploiting this misconfiguration to deliver a malicious Docker container, built from an image named 'oracleiv_latest' and containing Python malware compiled as an ELF executable," Cado researchers Nate Bill and Matt Muir  said . The malicious activity starts with attackers using an HTTP POST request to Docker's API to retrieve a malicious image from Docker Hub, which, in turn, runs a command to retrieve a shell script (oracle.sh) from a command-and-control (C&C) server. Oracleiv_latest  purports to be a MySQL image for docker and has been pulled 3,500 times to date. In a perhaps not-so-surprising twist, the image also includes additional instructions to fetch an XMRig miner and its configuration from the same server. That said, the clo...
This Cloud Botnet Has Hijacked 30,000 Systems to Mine Cryptocurrencies

This Cloud Botnet Has Hijacked 30,000 Systems to Mine Cryptocurrencies

Jul 20, 2022
The 8220 cryptomining group has expanded in size to encompass as many as 30,000 infected hosts, up from 2,000 hosts globally in mid-2021. "8220 Gang is one of the many low-skill crimeware gangs we continually observe infecting cloud hosts and operating a botnet and cryptocurrency miners through known vulnerabilities and remote access brute forcing infection vectors," Tom Hegel of SentinelOne  said  in a Monday report. The growth is said to have been fueled through the use of Linux and common cloud application vulnerabilities and poorly secured configurations for services such as Docker, Apache WebLogic, and Redis. Active since early 2017, the Chinese-speaking, Monero-mining threat actor was most recently  seen  targeting i686 and x86_64 Linux systems by means of weaponizing a newly disclosed remote code execution exploit for Atlassian Confluence Server (CVE-2022-26134) to drop the PwnRig miner payload. "Victims are not targeted geographically, but simply ident...
Abcbot Botnet Linked to Operators of Xanthe Cryptomining malware

Abcbot Botnet Linked to Operators of Xanthe Cryptomining malware

Jan 10, 2022
New research into the infrastructure behind an emerging DDoS botnet named Abcbot has uncovered "clear" links with a cryptocurrency-mining botnet attack that came to light in December 2020. Attacks involving Abcbot, first  disclosed  by Qihoo 360's Netlab security team in November 2021, are  triggered  via a malicious shell script that targets insecure cloud instances operated by cloud service providers such as Huawei, Tencent, Baidu, and Alibaba Cloud to download malware that co-opts the machine to a botnet, but not before terminating processes from competing threat actors and establishing persistence. The shell script in question is itself an iteration of an earlier version originally  discovered  by Trend Micro in October 2021 hitting vulnerable ECS instances inside Huawei Cloud. But in an interesting twist, continued analysis of the botnet by mapping all known Indicators of Compromise (IoCs), including IP addresses, URLs, and samples, has revealed A...
On-Demand Webinar: Into the Cryptoverse

On-Demand Webinar: Into the Cryptoverse

Nov 17, 2021
In the span of a few years, cryptocurrencies have gone from laughingstock and novelty to a serious financial instrument, and a major sector in high-tech. The price of Bitcoin and Ethereum has gone from single dollars to thousands, and they're increasingly in the mainstream.  This is undoubtedly a positive development, as it opens new avenues for finance, transactions, tech developments, and more. Unfortunately, no innovation is without its dark side, and the crypto industry is no exception. A new webinar from XDR provider Cynet ( you can see it here ) dives deeper into this dark corner to explore the intersection of cybersecurity and cryptocurrency.  The first question is how, exactly, cryptocurrency creates security vulnerabilities for organizations. There's no single answer, and in many cases, the results are more indirect. This bears closer inspection, and the webinar, led by Cynet  CyOps Analyst  Ronen Ahdut, studies the different ways cryptocurrencies are use...
Expert Insights / Articles Videos
Cybersecurity Resources