{
	"id": "934225c3-93bc-4c18-8e36-750e2ec1ce63",
	"created_at": "2026-04-06T00:12:34.17636Z",
	"updated_at": "2026-04-10T03:21:00.225872Z",
	"deleted_at": null,
	"sha1_hash": "17288eb9deacf62bc8f87159791d18827867f29e",
	"title": "GhostMiner Weaponizes WMI, Kills Other Mining Payloads",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 68904,
	"plain_text": "GhostMiner Weaponizes WMI, Kills Other Mining Payloads\r\nBy By: Carl Maverick Pascual Sep 19, 2019 Read time: 3 min (803 words)\r\nPublished: 2019-09-19 · Archived: 2026-04-05 19:55:25 UTC\r\nCybercriminals continue to use cryptocurrency-mining malware to abuse computing resources for profit. As early as 2017,\r\nwe have also observed how they have applied fileless techniques to make detection and monitoring more difficult.\r\nOn August 2, we observed a fileless cryptocurrency-mining malware, dubbed GhostMiner, that weaponizes Windows\r\nmanagement instrumentation (WMI) objects for its fileless persistence, payload mechanisms, and AV-evasion capabilities.\r\nThis GhostMiner variant was also observed to modify infected host files that are heavily used by MyKings,\r\nPowerGhostnews- cybercrime-and-digital-threats, PCASTLE, and BULEHERO, among others.\r\nThis malware was observed mining Monero cryptocurrency, however, the arrival details of this variant has not been\r\nidentified as of writing. An earlier documented sighting of GhostMiner was noted to have used multiple vulnerabilities in\r\nMSSQL, phpMyAdmin, and Oracle’s WebLogic to look for and attack susceptible servers.\r\nGhostMiner Details\r\nGhostMiner uses WMI Event Subscriptions to install persistence in an infected machine as well as execute arbitrary code.\r\nEvent Filter \\\\.\\ROOT\\subscription:__EventFilter.Name=\"PowerShell Event Log Filter\" EventNamespace :\r\nroot\\cimv2 Query : SELECT * FROM __InstanceModificationEvent WITHIN 3600 WHERE TargetInstance ISA\r\n'Win32_PerfFormattedData_PerfOS_System' QueryLanguage : WQL       \r\nFilterToConsumerBinding\r\n\\\\.\\ROOT\\subscription:__FilterToConsumerBinding.Consumer=\"CommandLineEventConsumer.Name=\\PowerShell\r\nEvent Log Consumer\\\"\"\",Filter=\"\"__EventFilter.Name=\\\"PowerShell Event Log Filter\\\"\"\" Consumer :\r\nCommandLineEventConsumer.Name=\"\"PowerShell Event Log Consumer\"\" Filter :\r\n__EventFilter.Name=\"\"PowerShell Event Log Filter\"\" Event Consumer\r\n\\\\.\\ROOT\\subscription:CommandLineEventConsumer.Name=\"\"PowerShell Event Log Consumer\"\"\r\nCommandLineTemplate : C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShell.eXe -NoP -NonI -EP\r\nByPass -W Hidden -E \u003cBase-64 encoded script\u003e\r\nGhostMiner will also install a WMI class named “PowerShell_Command” at the root\\Default namespace. This WMI class\r\ncontains the entries Command and CCBot that contains base-64 encoded functions.\r\nWhen the EventConsumer is triggered, it will read entries from Command and CCBot from the installed WMI\r\n“PowerShell_Command” object.\r\nThe Command script, when executed, will do the following:  \r\nFunctions Task\r\nWMI_KillFake Terminates processes and deletes corresponding files based on a list of conditions\r\nWMI_KillService Terminates services based on a set of conditions\r\nWMI_Scanner Terminates processes of known cryptominers in the process memory\r\nWMI_CheckFile Verifies the integrity of the file it drops\r\nTable 1. List of functions the Command script performs once executed\r\nAside from the abovementioned functions, the Command script also has a WMI_Killer function, which terminates running\r\nprocesses, and deletes scheduled tasks and services that are associated with cryptocurrency-mining malware families such\r\nas:\r\n1. MyKings\r\n2. PowerGhost\r\n3. PCASTLE\r\n4. BULEHERO\r\n5. Other generic MALXMR variants used by malware families, including BlackSquid\r\nFigure 1. List of service names that WMI_Killer terminates and deletes\r\nFigure 1. List of service names that WMI_Killer terminates and deletes\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/fileless-cryptocurrency-miner-ghostminer-weaponizes-wmi-objects-kills-other-cryptocurrency-mining-payloads/\r\nPage 1 of 3\n\nFigure 2. List of scheduled tasks that WMI_Killer deletes\r\nFigure 2. List of scheduled tasks that WMI_Killer deletes\r\nFigure 3. List of cryptocurrency-mining-related processes that the the WMI_Killer terminate\r\nFigure 3. List of cryptocurrency-mining-related processes that the the WMI_Killer terminates\r\nWMI_Killer also terminates TCP traffic that uses a list of cryptocurrency-mining malware’s commonly used ports\r\nFigure 4. List of ports that the WMI_Killer monitor\r\nFigure 4. List of ports that the WMI_Killer monitors\r\nAnother Command script function, the WMI_CheckHosts, is able to modify the host files of the infected machine and\r\nmodifies entries that are related to malicious malware such as BULEHERO..\r\nFigure 5. WMI_CheckHosts function that modifies the infected machine’s hosts files based on the mapped entries that are\r\nrelated to its competition\r\nMeanwhile, the CCBOT entry uses two IP addresses, namely 118[.]24[.]63[.]208 and 103[.]105[.]59[.]68, as C\u0026C servers.\r\nIt uses Base-64 to encode the send command and ROT-13, a letter substitution cipher that changes the 13th letter after it, to\r\ndecode the received command.\r\nWe observed that the backdoor communication is only enabled between 12AM to 5AM. It uses an invoke-expression (IEX)\r\nwhen the C\u0026C server receives a response. Otherwise, it will continuously try to connect to the abovementioned IP addresses\r\nevery 30 seconds using the “/Update/CC/CC.php” URI path.\r\nAside from Command and CCBot, The “PowerShell_Command” class also contains the following objects:\r\nMiner : \u003cBase-64 encoded binary code\u003e\r\nVer : \u003cVersion Number\u003e (The current version is v2.13.0)\r\nmPId : \u003cProcess ID of the running cryptocurrency-miner\u003e\r\nnPId : \u003cProcess ID of the installer\u003e\r\nThe miner is a 64-bit payload that is dropped when Command is decoded and executed. However, before it gets dropped,\r\nGhostMiner determines the free disk space on the root drive. If the free space is less than 1 GB, it will drop a 10 MB-sized\r\npayload. Otherwise, it will drop a 100 MB-sized payload. GhostMiner will then append 2,130 bytes of random value. The\r\nfile will then be saved as C:\\Windows\\Temp\\lsass.exe.\r\nThe malware will then execute the following commands as part of the miner’s execution routine:                \r\nTakeown.exe /f C:\\Windows\\Temp                \r\niCACLs.exe C:\\Windows\\Temp /Reset /T /C                \r\niCACLs.exe C:\\Windows\\Temp /Grant Everyone:F /T /C                \r\niCACLs.exe C:\\Windows\\Temp\\lsass.exe /E /G Everyone:F /C                \r\nNetSH Firewall Add AllowedProgram C:\\Windows\\Temp\\lsass.exe “Windows Update”                \r\nStart-Process –FilePath C:\\Windows\\Temp\\lsass.exe –WindowStyle Hidden –PassThru\r\nAs of writing time, the XMR wallet associated with this campaign only has 50.278384965000 XMR (US$3,868.02) in total\r\npaid value.\r\nTrend Micro Deep Discovery Inspector productsprotects customers from threats that may lead to C\u0026C connection and data\r\nexfiltration via this DDI rule:\r\n4219: GHOSTMINER - HTTP (Request)\r\nIndicators of Compromise (IoCs)\r\nSHA-256\r\nTrend Micro Predictive Machine\r\nLearning Detection\r\nTrend Micro Pattern\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/fileless-cryptocurrency-miner-ghostminer-weaponizes-wmi-objects-kills-other-cryptocurrency-mining-payloads/\r\nPage 2 of 3\n\n13a4751b83e53abdf0fb6d5876d6cc9dfbd33e343038dae6951de755d93c8284\r\n \r\nTroj.Win32.TRX.XXPE50FFF031\r\nCoinminer.Win64.MA\r\n \r\n558914713cf3174c8b489aef12a1a7871ad886bc9483fd7b0790383702bfd75d\r\n7cec25bdb7c3cb2778168e9b02e0fdd608a6c94cb69feba7b4ee647aef0588b1\r\n8ffa7f991637e28fa5b4ae7f5522fe5fee622307bed87d1d478c48fa0696dc5a\r\na0e0e5d0ff95e3193ed0999234588e3327ea8d759316a0d1175c5084daf5b083 Coinminer.Win64.MALXMR.TIAOODC\r\naa16c957a85ecedaac9f629082913dfdaefe95b8b8191d7cb3e8c02da2963452\r\n \r\nCoinminer.Win64.MALXMR.TIAOODBZ\r\n \r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/fileless-cryptocurrency-miner-ghostminer-weaponizes-wmi-objects-kills-other-cryptocu\r\nrrency-mining-payloads/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/fileless-cryptocurrency-miner-ghostminer-weaponizes-wmi-objects-kills-other-cryptocurrency-mining-payloads/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.trendmicro.com/trendlabs-security-intelligence/fileless-cryptocurrency-miner-ghostminer-weaponizes-wmi-objects-kills-other-cryptocurrency-mining-payloads/"
	],
	"report_names": [
		"fileless-cryptocurrency-miner-ghostminer-weaponizes-wmi-objects-kills-other-cryptocurrency-mining-payloads"
	],
	"threat_actors": [],
	"ts_created_at": 1775434354,
	"ts_updated_at": 1775791260,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/17288eb9deacf62bc8f87159791d18827867f29e.pdf",
		"text": "https://archive.orkl.eu/17288eb9deacf62bc8f87159791d18827867f29e.txt",
		"img": "https://archive.orkl.eu/17288eb9deacf62bc8f87159791d18827867f29e.jpg"
	}
}