cryptojacking | Breaking Cybersecurity News | The Hacker News

A China-linked unnamed threat actor dubbed Chaya_004 has been observed exploiting a recently disclosed security flaw in SAP NetWeaver. Forescout Vedere Labs, in a report published Thursday, said it uncovered a malicious infrastructure likely associated with the hacking group weaponizing CVE-2025-31324 (CVSS score: 10.0) since April 29, 2025. CVE-2025-31324 refers to a critical SAP NetWeaver flaw that allows attackers to achieve remote code execution (RCE) by uploading web shells through a susceptible "/developmentserver/metadatauploader" endpoint. The vulnerability was first flagged by ReliaQuest late last month when it found the shortcoming being abused in real-world attacks by unknown threat actors to drop web shells and the Brute Ratel C4 post-exploitation framework. According to Onapsis, hundreds of SAP systems globally have fallen victim to attacks spanning industries and geographies, including energy and utilities, manufacturing, media and entertainment, oil an...

Cybersecurity researchers have detailed a malware campaign that's targeting Docker environments with a previously undocumented technique to mine cryptocurrency. The activity cluster, per Darktrace and Cado Security , represents a shift from other cryptojacking campaigns that directly deploy miners like XMRig to illicitly profit off the compute resources. This involves deploying a malware strain that connects to a nascent Web3 service called Teneo, a decentralized physical infrastructure network (DePIN) that allows users to monetize public social media data by running a Community Node in exchange for rewards called Teneo Points , which can be converted into $TENEO Tokens. The node essentially functions as a distributed social media scraper to extract posts from Facebook, X, Reddit, and TikTok. An analysis of artifacts gathered from Darktrace's honeypots has revealed that the attack starts with a request to launch a container image " kazutod/tene:ten " from the ...

Cybersecurity researchers are warning of continued risks posed by a distributed denial-of-service (DDoS) malware known as XorDDoS , with 71.3 percent of the attacks between November 2023 and February 2025 targeting the United States. "From 2020 to 2023, the XorDDoS trojan has increased significantly in prevalence," Cisco Talos researcher Joey Chen said in a Thursday analysis.  "This trend is not only due to the widespread global distribution of the XorDDoS trojan but also an uptick in malicious DNS requests linked to its command-and-control (C2) infrastructure. In addition to targeting commonly exposed Linux machines, the trojan has expanded its reach to Docker servers, converting infected hosts into bots." Nearly 42 percent of the compromised devices are located in the United States, followed by Japan, Canada, Denmark, Italy, Morocco, and China. XorDDoS is a well-known malware that has a track record of striking Linux systems for over a decade. In May 2022...

Cybersecurity researchers have shed light on an "auto-propagating" cryptocurrency mining botnet called Outlaw (aka Dota) that's known for targeting SSH servers with weak credentials. "Outlaw is a Linux malware that relies on SSH brute-force attacks, cryptocurrency mining, and worm-like propagation to infect and maintain control over systems," Elastic Security Labs said in a new analysis published Tuesday. Outlaw is also the name given to the threat actors behind the malware. It's believed to be of Romanian origin. Other hacking groups dominating the cryptojacking landscape include 8220, Keksec (aka Kek Security), Kinsing, and TeamTNT. Active since at least late 2018 , the hacking crew has brute-forced SSH servers , abusing the foothold to conduct reconnaissance and maintain persistence on the compromised hosts by adding their own SSH keys to the "authorized_keys" file. The attackers are also known to incorporate a multi-stage infection ...

Exposed PostgreSQL instances are the target of an ongoing campaign designed to gain unauthorized access and deploy cryptocurrency miners. Cloud security firm Wiz said the activity is a variant of an intrusion set that was first flagged by Aqua Security in August 2024 that involved the use of a malware strain dubbed PG_MEM . The campaign has been attributed to a threat actor Wiz tracks as JINX-0126. "The threat actor has since evolved, implementing defense evasion techniques such as deploying binaries with a unique hash per target and executing the miner payload filelessly – likely to evade detection by [cloud workload protection platform] solutions that rely solely on file hash reputation," researchers Avigayil Mechtinger, Yaara Shriki, and Gili Tikochinski said . Wiz has also revealed that the campaign has likely claimed over 1,500 victims to date, indicating that publicly-exposed PostgreSQL instances with weak or predictable credentials are prevalent enough to become ...

Cybersecurity researchers are calling attention to a new sophisticated malware called CoffeeLoader that's designed to download and execute secondary payloads. The malware, according to Zscaler ThreatLabz, shares behavioral similarities with another known malware loader known as SmokeLoader .  "The purpose of the malware is to download and execute second-stage payloads while evading detection by endpoint-based security products," Brett Stone-Gross, senior director of threat intelligence at Zscaler, said in a technical write-up published this week. "The malware uses numerous techniques to bypass security solutions, including a specialized packer that utilizes the GPU, call stack spoofing, sleep obfuscation, and the use of Windows fibers." CoffeeLoader, which originated around September 2024, leverages a domain generation algorithm (DGA) as a fallback mechanism in case the primary command-and-control (C2) channels become unreachable. Central to the malwar...

Threat actors are exploiting a severe security flaw in PHP to deliver cryptocurrency miners and remote access trojans (RATs) like Quasar RAT. The vulnerability, assigned the CVE identifier CVE-2024-4577 , refers to an argument injection vulnerability in PHP affecting Windows-based systems running in CGI mode that could allow remote attackers to run arbitrary code. Cybersecurity company Bitdefender said it has observed a surge in exploitation attempts against CVE-2024-4577 since late last year, with a significant concentration reported in Taiwan (54.65%), Hong Kong (27.06%), Brazil (16.39%), Japan (1.57%), and India (0.33%). About 15% of the detected exploitation attempts involve basic vulnerability checks using commands like "whoami" and "echo <test_string>." Another 15% revolve around commands used for system reconnaissance, such as process enumeration, network discovery, user and domain information, and system metadata gathering. Martin Zugec, technic...

The North Korea-linked threat actor known as ScarCruft is said to have been behind a never-before-seen Android surveillance tool named KoSpy targeting Korean and English-speaking users. Lookout, which shared details of the malware campaign, said the earliest versions date back to March 2022. The most recent samples were flagged in March 2024. It's not clear how successful these efforts were. "KoSpy can collect extensive data, such as SMS messages, call logs, location, files, audio, and screenshots via dynamically loaded plugins," the company said in an analysis. The malicious artifacts masquerade as utility applications on the official Google Play Store, using the names File Manager, Phone Manager, Smart Manager, Software Update Utility, and Kakao Security to trick unsuspecting users into infecting their own devices. All the identified apps offer the promised functionality to avoid raising suspicion while stealthily deploying spyware-related components in the backg...

Internet service providers (ISPs) in China and the West Coast of the United States have become the target of a mass exploitation campaign that deploys information stealers and cryptocurrency miners on compromised hosts. The findings come from the Splunk Threat Research Team, which said the activity also led to the delivery of various binaries that facilitate data exfiltration as well as offer ways to establish persistence on the systems. The unidentified threat actors performed "minimal intrusive operations to avoid detection, with the exception of artifacts created by accounts already compromised," the Cisco-owned company said in a technical report published last week. "This actor also moves and pivots primarily by using tools that depend and run on scripting languages (e.g., Python and Powershell), allowing the actor to perform under restricted environments and use API calls (e.g., Telegram) for C2 [command-and-control] operations." The attacks have been ob...

Users who are on the lookout for popular games were lured into downloading trojanized installers that led to the deployment of a cryptocurrency miner on compromised Windows hosts. The large-scale activity has been codenamed StaryDobry by Russian cybersecurity company Kaspersky, which first detected it on December 31, 2024. It lasted for a month. Targets of the campaign include individuals and businesses worldwide, with Kaspersky's telemetry finding higher infection concentrations in Russia, Brazil, Germany, Belarus, and Kazakhstan. "This approach helped the threat actors make the most out of the miner implant by targeting powerful gaming machines capable of sustaining mining activity," researchers Tatyana Shishkova and Kirill Korchemny said in an analysis published Tuesday. The XMRig cryptocurrency miner campaign employs popular simulator and physics games like BeamNG.drive, Garry's Mod, Dyson Sphere Program, Universe Sandbox, and Plutocracy as lures to initi...

Google on Wednesday shed light on a financially motivated threat actor named TRIPLESTRENGTH for its opportunistic targeting of cloud environments for cryptojacking and on-premise ransomware attacks. "This actor engaged in a variety of threat activity, including cryptocurrency mining operations on hijacked cloud resources and ransomware activity," the tech giant's cloud division said in its 11th Threat Horizons Report . TRIPLESTRENGTH engages in a trifecta of malicious attacks, including illicit cryptocurrency mining, ransomware and extortion, and advertising access to various cloud platforms, such as Google Cloud, Amazon Web Services, Microsoft Azure, Linode, OVHCloud, and Digital Ocean, to other threat actors. Initial access to target cloud instances is facilitated by means of stolen credentials and cookies, some of which originate from Raccoon information stealer infection logs. The hijacked environments are then abused to create compute resources for mining cryp...

Threat actors have been found leveraging a new technique that abuses extended attributes for macOS files to smuggle a new malware called RustyAttr . The Singaporean cybersecurity company has attributed the novel activity with moderate confidence to the infamous North Korea-linked Lazarus Group, citing infrastructure and tactical overlaps observed in connection with prior campaigns, including RustBucket .  Extended attributes refer to additional metadata associated with files and directories that can be extracted using a dedicated command called xattr . They are often used to store information that goes beyond the standard attributes, such as file size, timestamps, and permissions. The malicious applications discovered by Group-IB are built using Tauri , a cross-platform desktop application framework, and signed with a leaked certificate that has since been revoked by Apple. They include an extended attribute that's configured to fetch and run a shell script. The execution of...

The infamous cryptojacking group known as TeamTNT appears to be readying for a new large-scale campaign targeting cloud-native environments for mining cryptocurrencies and renting out breached servers to third-parties. "The group is currently targeting exposed Docker daemons to deploy Sliver malware, a cyber worm, and cryptominers, using compromised servers and Docker Hub as the infrastructure to spread their malware," Assaf Morag, director of threat intelligence at cloud security firm Aqua, said in a report published Friday. The attack activity is once again a testament to the threat actor's persistence and its ability to evolve its tactics and mounting multi-stage assaults with the goal of compromising Docker environments and enlisting them into a Docker Swarm. Besides using Docker Hub to host and distribute their malicious payloads, TeamTNT has been observed offering the victims' computational power to other parties for illicit cryptocurrency mining, thus di...

Cybersecurity researchers have uncovered a new cryptojacking campaign targeting the Docker Engine API with the goal of co-opting the instances to join a malicious Docker Swarm controlled by the threat actor. This enabled the attackers to "use Docker Swarm's orchestration features for command-and-control (C2) purposes," Datadog researchers Matt Muir and Andy Giron said in an analysis. The attacks leverage Docker for initial access to deploy a cryptocurrency miner on compromised containers, while also fetching and executing additional payloads that are responsible for conducting lateral movement to related hosts running Docker, Kubernetes, or SSH. Specifically, this involves identifying unauthenticated and exposed Docker API endpoints using Internet scanning tools, such as masscan and ZGrab . On vulnerable endpoints, the Docker API is used to spawn an Alpine container and then retrieve an initialization shell script (init.sh) from a remote server ("solscan[.]liv...

The cryptojacking operation known as TeamTNT has likely resurfaced as part of a new campaign targeting Virtual Private Server (VPS) infrastructures based on the CentOS operating system. "The initial access was accomplished via a Secure Shell (SSH) brute force attack on the victim's assets, during which the threat actor uploaded a malicious script," Group-IB researchers Vito Alfano and Nam Le Phuong said in a Wednesday report. The malicious script, the Singaporean cybersecurity company noted, is responsible for disabling security features, deleting logs, terminating cryptocurrency mining processes, and inhibiting recovery efforts. The attack chains ultimately pave the way for the deployment of the Diamorphine rootkit to conceal malicious processes, while also setting up persistent remote access to the compromised host. The campaign has been attributed to TeamTNT with moderate confidence, citing similarities in the tactics, techniques, and procedures (TTPs) observed...

Threat actors are actively exploiting a now-patched, critical security flaw impacting the Atlassian Confluence Data Center and Confluence Server to conduct illicit cryptocurrency mining on susceptible instances. "The attacks involve threat actors that employ methods such as the deployment of shell scripts and XMRig miners, targeting of SSH endpoints, killing competing crypto mining processes, and maintaining persistence via cron jobs," Trend Micro researcher Abdelrahman Esmail said . The security vulnerability exploited is CVE-2023-22527 , a maximum severity bug in older versions of Atlassian Confluence Data Center and Confluence Server that could allow unauthenticated attackers to achieve remote code execution. It was addressed by the Australian software company in mid-January 2024. Trend Micro said it observed a high number of exploitation attempts against the flaw between mid-June and end of July 2024 that leveraged it to drop the XMRig miner on unpatched hosts. At l...

The peer-to-peer malware botnet known as P2PInfect has been found targeting misconfigured Redis servers with ransomware and cryptocurrency miners. The development marks the threat's transition from what appeared to be a dormant botnet with unclear motives to a financially motivated operation. "With its latest updates to the crypto miner, ransomware payload, and rootkit elements, it demonstrates the malware author's continued efforts into profiting off their illicit access and spreading the network further, as it continues to worm across the internet," Cado Security said in a report published this week. P2PInfect came to light nearly a year ago, and has since received updates to target MIPS and ARM architectures. Earlier this January, Nozomi Networks uncovered the use of the malware to deliver miner payloads. It typically spreads by targeting Redis servers and its replication feature to transform victim systems into a follower node of the attacker-controlled server...