{
	"id": "4fcf7da2-c1ce-4839-8374-3bdede2ec46c",
	"created_at": "2026-04-06T01:30:57.106647Z",
	"updated_at": "2026-04-10T13:13:00.554863Z",
	"deleted_at": null,
	"sha1_hash": "010bc6ff7e6c95f39a939eccb4e775bd1b49a950",
	"title": "LemonDuck botnet evolves to allow hands-on-keyboard intrusions",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 222102,
	"plain_text": "LemonDuck botnet evolves to allow hands-on-keyboard intrusions\r\nBy Catalin Cimpanu\r\nPublished: 2023-01-18 · Archived: 2026-04-06 00:45:15 UTC\r\nOver the past two years, a once-tiny crypto-mining malware strain has evolved into a massive botnet and is\r\nnow experimenting with hands-on-keyboard intrusions into hacked networks, signaling a dangerous turn\r\nthat could see the group's operators deliver ransomware or more dangerous threats in the coming future.\r\nTracked as LemonDuck, the botnet was first spotted by Israeli security firm Guardicore in the first half of 2019.\r\n#Campaign in tweets - @Guardicore Labs in a new tradition; we find the attacks, you get to know them\r\nand learn the attackers' tricks and techniques. This time, let's get familiarized with \"Lemon_Duck\", a\r\n#cryptomining campaign involving a sophisticated #propagation tool. pic.twitter.com/sUBND697af\r\n— Ophir Harpaz (@OphirHarpaz) July 3, 2019\r\nInitially, the botnet was a small-time operation that relied on classic email spam to distribute malicious files that\r\nwould infect users with its malware.\r\nThe first iterations of LemonDuck were simplistic. They infected systems, disabled security software, expanded\r\ninto internal networks, and then deployed a Monero-mining app to generate profits using a hacked organization's\r\ncomputer resources.\r\nHowever, while some botnets would be happy with this type of access and operational model, LemonDuck was\r\none of the rare botnet crews that did not content themselves with meager profits.\r\nOver the past two years, the malware has seen one of the most impressive expansions among any botnet operation\r\ntoday. It constantly received new features, and in 2020 its creators took a rare step to add a new infection\r\nmechanism to the botnet by adding support for web-based attacks.\r\nThis included the botnet attacking unpatched web servers using exploit code and brute-force (password-guessing)\r\nattacks against systems like Microsoft Exchange email servers, SQL databases, Hadoop and Redis servers, and\r\nsystems running internet-exposed SMB and RDP services.\r\nThis saw the botnet grow in size and sophistication far beyond most of its crypto-mining rivals. Today, the botnet\r\ncan infect both Windows and Linux systems and comes equipped with a trove of features that allow it to remove\r\ncompeting malware from the same infected hosts, patch infected servers to avoid attacks from rivals, and collect\r\ncredentials from local systems to ensure future and more persistent access.\r\nLemonDuck has grown so much that it recently also drew the attention of the Microsoft security team, which\r\ndedicated a two-part series on the malware's recent upgrades.\r\nhttps://therecord.media/lemonduck-botnet-evolves-to-allow-hands-on-keyboard-intrusions/\r\nPage 1 of 4\n\nWhile both Cisco Talos and Sophos previously analyzed LemonDuck operations in their own reports, Microsoft\r\ndrew attention to recent developments in the LemonDuck code that had been focusing on adding the ability to\r\ncarry out hands-on-keyboard attacks.\r\nA relatively new term in the cybersecurity jargon, hands-on-keyboard attacks are when threat actors stop using\r\nautomated scripts and manually log into an infected system to execute manual commands themselves.\r\nIn recent years, all the botnets that have added this capability have used it primarily to ensure that expanding\r\naccess into a high-profile victim's internal network succeeds by having the operator run the commands by\r\nthemselves using \"hands on keyboard,\" hence the term's origin.\r\nHands-on-keyboard attacks are usually associated with nation-state threat actors, ransomware gangs, and\r\nfinancially motivated cybercrime groups.\r\n\"Back in 2019, when Guardicore Labs discovered LemonDuck, it was the classic spray-and-pray type of\r\ncampaign,\" Ophir Harpaz, the GuardiCore malware analyst who first spotted LemonDuck, told The Record in an\r\ninterview last week.\r\n\"There was no sign of the hands-on-keyboard nature that future attacks would carry. However, we could tell even\r\nat that early phase that LemonDuck operators were serious about their business; their multi-stage PowerShell\r\nscripts were more complex and obfuscated than others', and they already made extensive use of open-source tools\r\nfor code execution and infection,\" Harpaz added.\r\n\"Actually, many of the aspects that Microsoft points out as novel have been there since the beginning: credential\r\ntheft, removal of security controls and lateral movement - were all there from the very start.\r\nhttps://therecord.media/lemonduck-botnet-evolves-to-allow-hands-on-keyboard-intrusions/\r\nPage 2 of 4\n\n\"What is different about the LemonDuck group is their persistence - and for once, I'm not talking about\r\npersistence on infected machines, but persistence in the landscape of botnet campaigns,\" the GuardiCore\r\nresearcher said.\r\n\"They started in March 2019 and literally never stopped since. There was not a single month where we didn't\r\nobserve a LemonDuck attack hitting our threat sensors,\" Harpaz told The Record.\r\n\"With such consistent campaigns, threat actors must up their game to stay powerful. It is, therefore, no surprise\r\nthat LemonDuck, which has been running for more than two years, evolves into a much more aggressive\r\ncampaign with multiple variants and infrastructures.\"\r\nNo connections to ransomware attacks yet\r\nRight now, even if there's been an increase of incidents where a LemonDuck infection has evolved into a hands-on-keyboard attack, there is no evidence to support a theory that LemonDuck has shifted from its primary purpose\r\nof illicit crypto-mining.\r\nHowever, Microsoft has also noted that LemonDuck operators have also begun deploying other malware strains\r\non systems they infected, such as the Ramnit family and others.\r\nWith LemonDuck showing signs that it may evolve into a Malware-as-a-Service operation that rents access to\r\nother cybercrime gangs, the ability to carry out hands-on-keyboards attacks may soon be abused for more\r\ndangerous intrusions, such as economic espionage, BEC scams, or even ransomware.\r\nUntil then, IT security teams will need to re-assess and prioritize LemonDuck detections before this new botnet\r\ncatches them off guard.\r\nhttps://therecord.media/lemonduck-botnet-evolves-to-allow-hands-on-keyboard-intrusions/\r\nPage 3 of 4\n\nNo previous article\r\nNo new articles\r\nCatalin Cimpanu\r\nis a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement\r\nactions against hackers.\r\nSource: https://therecord.media/lemonduck-botnet-evolves-to-allow-hands-on-keyboard-intrusions/\r\nhttps://therecord.media/lemonduck-botnet-evolves-to-allow-hands-on-keyboard-intrusions/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://therecord.media/lemonduck-botnet-evolves-to-allow-hands-on-keyboard-intrusions/"
	],
	"report_names": [
		"lemonduck-botnet-evolves-to-allow-hands-on-keyboard-intrusions"
	],
	"threat_actors": [],
	"ts_created_at": 1775439057,
	"ts_updated_at": 1775826780,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/010bc6ff7e6c95f39a939eccb4e775bd1b49a950.pdf",
		"text": "https://archive.orkl.eu/010bc6ff7e6c95f39a939eccb4e775bd1b49a950.txt",
		"img": "https://archive.orkl.eu/010bc6ff7e6c95f39a939eccb4e775bd1b49a950.jpg"
	}
}