{
	"id": "8a573bc0-cf23-4c92-bfbe-b4083e2d4d4f",
	"created_at": "2026-04-06T00:11:51.542651Z",
	"updated_at": "2026-04-10T13:11:58.422931Z",
	"deleted_at": null,
	"sha1_hash": "1dc2bc8cf873352431b7f13a7ba4d4f0038d7b24",
	"title": "Cryptocurrency Mining Malware Discovered Targeting Seagate NAS Hard Drives",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 129792,
	"plain_text": "Cryptocurrency Mining Malware Discovered Targeting Seagate\r\nNAS Hard Drives\r\nBy Catalin Cimpanu\r\nPublished: 2016-09-09 · Archived: 2026-04-05 23:48:41 UTC\r\nA malware variant named Mal/Miner-C (also known as PhotoMiner) is infecting Internet-exposed Seagate\r\nCentral Network Attached Storage (NAS) devices and using them to infect connected computers to mine for\r\nthe Monero cryptocurrency.\r\nMiner-C, or PhotoMiner, appeared at the start of June 2016, when a report revealed how this malware was\r\ntargeting FTP servers and spreading on its own to new machines thanks to worm-like features that attempted to\r\nbrute-force other FTP servers using a list of default credentials.\r\nMiner-C now specifically targets Seagate Central NAS hard drives\r\nThis same functionality is still present in the latest Miner-C version, but security researchers from Sophos say that\r\nrecent Miner-C iterations are using a design flaw in the Seagate Central NAS devices to place a copy of itself on\r\ntheir public data folders.\r\nNAS devices, which are network-connected hard drives, allow users to access files from the local network, but\r\nalso via the Internet if the administrator chooses to open the NAS drive for remote access.\r\nAccording to Sophos, Seagate Central devices contain a public folder accessible to all users, even anonymous\r\nnon-logged-in users, which can't be deactivated or deleted.\r\nMiner-C tricks users into installing the cryptocurrency miner\r\nMiner-C is copying files to this public folder on all Seagate Central NAS devices it can find. One of the files it\r\ncopies is called Photo.scr, a script file that malware coders have modified to use a standard Windows folder icon.\r\nBecause Windows has a bad habit of hiding file extensions, whenever the device owner accesses their NAS, they\r\nsee this file as a folder, fooled by the fake icon.\r\nWhen they try to access the folder, they're actually executing the Photo.scr file, which installs a cryptocurrency\r\nmining application on their PC.\r\nhttps://news.softpedia.com/news/cryptocurrency-mining-malware-discovered-targeting-seagate-nas-hard-drives-508119.shtml\r\nPage 1 of 3\n\nPublic and private folders on Seagate Central NAS drives\r\nMiner-C also features a modular structure made of different parts that do different things, and it uses a unique\r\nmethod of loading its config file.\r\n\"Since it generates a new initialization file when it is launched, it helps the malware avoid security solutions. It\r\nalso gives the botnet operators a chance to change the payload of the threat in the future, for example, dropping\r\nransomware to the victim's machine after the mining business is no longer profitable,\" the Sophos team explains in\r\na technical report.\r\nMiner-C mines for Monero only\r\nRight now, Monero is one of the most profitable cryptocurrencies from when it comes to mining operations. While\r\nBitcoin mining difficulty has increased many times over the years, PC-based Bitcoin mining has ceased to be\r\nprofitable in 2012 and is currently only an option if you're using special hardware and dedicated data centers.\r\nMonero is one of the few cryptocurrencies that can still be mined using regular PCs, hence the reason the crooks\r\nchose it.\r\nThere are around 5,000 Seagate Central NAS devices infected\r\nAccording to telemetry data Sophos researchers gathered, Miner-C has infected around 70 percent of all Seagate\r\nCentral NAS devices available on the Internet.\r\nhttps://news.softpedia.com/news/cryptocurrency-mining-malware-discovered-targeting-seagate-nas-hard-drives-508119.shtml\r\nPage 2 of 3\n\nResearchers discovered around 7,000 Seagate Central NAS devices connected to the Internet, which means crooks\r\nmanaged to infect around 5,000 such devices.\r\nSince all the accounts to which crooks collect Monero are stored in the malware's config file, Sophos was able to\r\nestimate that they have made around €76,600 ($86,400) from their operations until now and are currently\r\nresponsible for 2.5 percent of the entire Monero mining activity.\r\nThe quandary is that Seagate Central owners have no way to protect their device. Turning off the remote access\r\nNAS feature can prevent the infection, but also means they lose the ability to access the device from a remote\r\nlocation, one of the reasons they purchased the hard drive in the first place.\r\nMap of infected Seagate Central NAS devices\r\nSource: https://news.softpedia.com/news/cryptocurrency-mining-malware-discovered-targeting-seagate-nas-hard-drives-508119.shtml\r\nhttps://news.softpedia.com/news/cryptocurrency-mining-malware-discovered-targeting-seagate-nas-hard-drives-508119.shtml\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://news.softpedia.com/news/cryptocurrency-mining-malware-discovered-targeting-seagate-nas-hard-drives-508119.shtml"
	],
	"report_names": [
		"cryptocurrency-mining-malware-discovered-targeting-seagate-nas-hard-drives-508119.shtml"
	],
	"threat_actors": [],
	"ts_created_at": 1775434311,
	"ts_updated_at": 1775826718,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1dc2bc8cf873352431b7f13a7ba4d4f0038d7b24.pdf",
		"text": "https://archive.orkl.eu/1dc2bc8cf873352431b7f13a7ba4d4f0038d7b24.txt",
		"img": "https://archive.orkl.eu/1dc2bc8cf873352431b7f13a7ba4d4f0038d7b24.jpg"
	}
}