cryptojacking | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers have detailed two novel methods that can be used to disrupt cryptocurrency mining botnets. The methods take advantage of the design of various common mining topologies in order to shut down the mining process , Akamai said in a new report published today. "We developed two techniques by leveraging the mining topologies and pool policies that enable us to reduce a cryptominer botnet's effectiveness to the point of completely shutting it down, which forces the attacker to make radical changes to their infrastructure or even abandon the entire campaign," security researcher Maor Dahan said . The techniques, the web infrastructure company said, hinge on exploiting the Stratum mining protocol such that it causes an attacker's mining proxy or wallet to be banned, effectively disrupting the operation. The first of the two approaches, dubbed bad shares, entails banning the mining proxy from the network, which, in turn, results in the shutdow...

Misconfigured Docker instances are the target of a campaign that employs the Tor anonymity network to stealthily mine cryptocurrency in susceptible environments. "Attackers are exploiting misconfigured Docker APIs to gain access to containerized environments, then using Tor to mask their activities while deploying crypto miners," Trend Micro researchers Sunil Bharti and Shubham Singh said in an analysis published last week. In using Tor, the idea is to anonymize their origins during the installation of the miner on compromised systems. The attacks, per the cybersecurity company, commence with a request from the IP address 198.199.72[.]27 to obtain a list of all containers on the machine. If no containers are present, the attacker proceeds to create a new one based on the "alpine" Docker image and mounts the "/hostroot" directory – i.e., the root directory ("/") of the physical or virtual host machine – as a volume inside it. This behavior p...

Several malicious packages have been uncovered across the npm, Python, and Ruby package repositories that drain funds from cryptocurrency wallets, erase entire codebases after installation, and exfiltrate Telegram API tokens, once again demonstrating the variety of supply chain threats lurking in open-source ecosystems. The findings come from multiple reports published by Checkmarx, ReversingLabs, Safety, and Socket in recent weeks. The list of identified packages across these platforms are listed below - Socket noted that the two malicious gems were published by a threat actor under the aliases Bùi nam, buidanhnam, and si_mobile merely days after Vietnam ordered a nationwide ban on the Telegram messaging app late last month for allegedly not cooperating with the government to tackle illicit activities related to fraud, drug trafficking, and terrorism. "These gems silently exfiltrate all data sent to the Telegram API by redirecting traffic through a command-and-control (C2...

Cybersecurity researchers have discovered a new cryptojacking campaign that's targeting publicly accessible DevOps web servers such as those associated with Docker, Gitea, and HashiCorp Consul and Nomad to illicitly mine cryptocurrencies. Cloud security firm Wiz, which is tracking the activity under the name JINX-0132 , said the attackers are exploiting a wide range of known misconfigurations and vulnerabilities to deliver the miner payload. "Notably, this campaign marks what we believe to be the first publicly documented instance of Nomad misconfigurations being exploited as an attack vector in the wild," researchers Gili Tikochinski, Danielle Aminov, and Merav Bar said in a report shared with The Hacker News. What sets these attacks further stand out is that the bad actors download the necessary tools directly from GitHub repositories rather than using their own infrastructure for staging purposes. The use of off-the-shelf tools is seen as a deliberate attempt to c...

A financially motivated threat actor has been observed exploiting a recently disclosed remote code execution flaw affecting the Craft Content Management System (CMS) to deploy multiple payloads, including a cryptocurrency miner, a loader dubbed Mimo Loader, and residential proxyware. The vulnerability in question is CVE-2025-32432 , a maximum severity flaw in Craft CMS that was patched in versions 3.9.15, 4.14.15, and 5.6.17. The existence of the security defect was first disclosed in April 2025 by Orange Cyberdefense SensePost after it was observed in attacks earlier this February. According to a new report published by Sekoia, the threat actors behind the campaign weaponized CVE-2025-32432 to obtain unauthorized access to the target systems and then deploy a web shell to enable persistent remote access. The web shell is then used to download and execute a shell script ("4l4md4r.sh") from a remote server using curl, wget, or the Python library urllib2. "Regarding ...

Misconfigured Docker API instances have become the target of a new malware campaign that transforms them into a cryptocurrency mining botnet. The attacks, designed to mine for Dero currency, is notable for its worm-like capabilities to propagate the malware to other exposed Docker instances and rope them into an ever-growing horde of mining bots. Kaspersky said it observed an unidentified threat actor gaining initial access to a running containerized infrastructure by exploiting an insecurely published Docker API, and then weaponizing that access to create the illicit cryptojacking network. "This led to the running containers being compromised and new ones being created not only to hijack the victim's resources for cryptocurrency mining but also to launch external attacks to propagate to other networks," security researcher Amged Wageh said . The attack chain is realized through two components: A propagation malware "nginx" that scans the internet for expos...

Cybersecurity researchers are calling attention to a new Linux cryptojacking campaign that's targeting publicly accessible Redis servers. The malicious activity has been codenamed RedisRaider by Datadog Security Labs. "RedisRaider aggressively scans randomized portions of the IPv4 space and uses legitimate Redis configuration commands to execute malicious cron jobs on vulnerable systems," security researchers Matt Muir and Frederic Baguelin said . The end goal of the campaign is to drop a Go-based primary payload that's responsible for unleashing an XMRig miner on compromised systems. The activity entails using a bespoke scanner to identify publicly accessible Redis servers across the internet and then issuing an INFO command to determine if the instances are running on a Linux host. If it's found to be the case, the scanning algorithm proceeds to abuse Redis's SET command to inject a cron job. The malware then uses the CONFIG command to change the Redi...

A China-linked unnamed threat actor dubbed Chaya_004 has been observed exploiting a recently disclosed security flaw in SAP NetWeaver. Forescout Vedere Labs, in a report published Thursday, said it uncovered a malicious infrastructure likely associated with the hacking group weaponizing CVE-2025-31324 (CVSS score: 10.0) since April 29, 2025. CVE-2025-31324 refers to a critical SAP NetWeaver flaw that allows attackers to achieve remote code execution (RCE) by uploading web shells through a susceptible "/developmentserver/metadatauploader" endpoint. The vulnerability was first flagged by ReliaQuest late last month when it found the shortcoming being abused in real-world attacks by unknown threat actors to drop web shells and the Brute Ratel C4 post-exploitation framework. According to Onapsis, hundreds of SAP systems globally have fallen victim to attacks spanning industries and geographies, including energy and utilities, manufacturing, media and entertainment, oil an...

Cybersecurity researchers have detailed a malware campaign that's targeting Docker environments with a previously undocumented technique to mine cryptocurrency. The activity cluster, per Darktrace and Cado Security , represents a shift from other cryptojacking campaigns that directly deploy miners like XMRig to illicitly profit off the compute resources. This involves deploying a malware strain that connects to a nascent Web3 service called Teneo, a decentralized physical infrastructure network (DePIN) that allows users to monetize public social media data by running a Community Node in exchange for rewards called Teneo Points , which can be converted into $TENEO Tokens. The node essentially functions as a distributed social media scraper to extract posts from Facebook, X, Reddit, and TikTok. An analysis of artifacts gathered from Darktrace's honeypots has revealed that the attack starts with a request to launch a container image " kazutod/tene:ten " from the ...

Cybersecurity researchers are warning of continued risks posed by a distributed denial-of-service (DDoS) malware known as XorDDoS , with 71.3 percent of the attacks between November 2023 and February 2025 targeting the United States. "From 2020 to 2023, the XorDDoS trojan has increased significantly in prevalence," Cisco Talos researcher Joey Chen said in a Thursday analysis.  "This trend is not only due to the widespread global distribution of the XorDDoS trojan but also an uptick in malicious DNS requests linked to its command-and-control (C2) infrastructure. In addition to targeting commonly exposed Linux machines, the trojan has expanded its reach to Docker servers, converting infected hosts into bots." Nearly 42 percent of the compromised devices are located in the United States, followed by Japan, Canada, Denmark, Italy, Morocco, and China. XorDDoS is a well-known malware that has a track record of striking Linux systems for over a decade. In May 2022...

Cybersecurity researchers have shed light on an "auto-propagating" cryptocurrency mining botnet called Outlaw (aka Dota) that's known for targeting SSH servers with weak credentials. "Outlaw is a Linux malware that relies on SSH brute-force attacks, cryptocurrency mining, and worm-like propagation to infect and maintain control over systems," Elastic Security Labs said in a new analysis published Tuesday. Outlaw is also the name given to the threat actors behind the malware. It's believed to be of Romanian origin. Other hacking groups dominating the cryptojacking landscape include 8220, Keksec (aka Kek Security), Kinsing, and TeamTNT. Active since at least late 2018 , the hacking crew has brute-forced SSH servers , abusing the foothold to conduct reconnaissance and maintain persistence on the compromised hosts by adding their own SSH keys to the "authorized_keys" file. The attackers are also known to incorporate a multi-stage infection ...

Exposed PostgreSQL instances are the target of an ongoing campaign designed to gain unauthorized access and deploy cryptocurrency miners. Cloud security firm Wiz said the activity is a variant of an intrusion set that was first flagged by Aqua Security in August 2024 that involved the use of a malware strain dubbed PG_MEM . The campaign has been attributed to a threat actor Wiz tracks as JINX-0126. "The threat actor has since evolved, implementing defense evasion techniques such as deploying binaries with a unique hash per target and executing the miner payload filelessly – likely to evade detection by [cloud workload protection platform] solutions that rely solely on file hash reputation," researchers Avigayil Mechtinger, Yaara Shriki, and Gili Tikochinski said . Wiz has also revealed that the campaign has likely claimed over 1,500 victims to date, indicating that publicly-exposed PostgreSQL instances with weak or predictable credentials are prevalent enough to become ...

Cybersecurity researchers are calling attention to a new sophisticated malware called CoffeeLoader that's designed to download and execute secondary payloads. The malware, according to Zscaler ThreatLabz, shares behavioral similarities with another known malware loader known as SmokeLoader .  "The purpose of the malware is to download and execute second-stage payloads while evading detection by endpoint-based security products," Brett Stone-Gross, senior director of threat intelligence at Zscaler, said in a technical write-up published this week. "The malware uses numerous techniques to bypass security solutions, including a specialized packer that utilizes the GPU, call stack spoofing, sleep obfuscation, and the use of Windows fibers." CoffeeLoader, which originated around September 2024, leverages a domain generation algorithm (DGA) as a fallback mechanism in case the primary command-and-control (C2) channels become unreachable. Central to the malwar...

Threat actors are exploiting a severe security flaw in PHP to deliver cryptocurrency miners and remote access trojans (RATs) like Quasar RAT. The vulnerability, assigned the CVE identifier CVE-2024-4577 , refers to an argument injection vulnerability in PHP affecting Windows-based systems running in CGI mode that could allow remote attackers to run arbitrary code. Cybersecurity company Bitdefender said it has observed a surge in exploitation attempts against CVE-2024-4577 since late last year, with a significant concentration reported in Taiwan (54.65%), Hong Kong (27.06%), Brazil (16.39%), Japan (1.57%), and India (0.33%). About 15% of the detected exploitation attempts involve basic vulnerability checks using commands like "whoami" and "echo <test_string>." Another 15% revolve around commands used for system reconnaissance, such as process enumeration, network discovery, user and domain information, and system metadata gathering. Martin Zugec, technic...

The North Korea-linked threat actor known as ScarCruft is said to have been behind a never-before-seen Android surveillance tool named KoSpy targeting Korean and English-speaking users. Lookout, which shared details of the malware campaign, said the earliest versions date back to March 2022. The most recent samples were flagged in March 2024. It's not clear how successful these efforts were. "KoSpy can collect extensive data, such as SMS messages, call logs, location, files, audio, and screenshots via dynamically loaded plugins," the company said in an analysis. The malicious artifacts masquerade as utility applications on the official Google Play Store, using the names File Manager, Phone Manager, Smart Manager, Software Update Utility, and Kakao Security to trick unsuspecting users into infecting their own devices. All the identified apps offer the promised functionality to avoid raising suspicion while stealthily deploying spyware-related components in the backg...