{
	"id": "68fe513e-6f8e-4ec0-9087-d413140f47ee",
	"created_at": "2026-04-06T00:20:07.056279Z",
	"updated_at": "2026-04-10T13:12:59.769731Z",
	"deleted_at": null,
	"sha1_hash": "222b207bb9ef5774b2cc79dd57729bf500ac172a",
	"title": "New Underminer Exploit Kit Discovered Pushing Bootkits and CoinMiners",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1039656,
	"plain_text": "New Underminer Exploit Kit Discovered Pushing Bootkits and\r\nCoinMiners\r\nBy Catalin Cimpanu\r\nPublished: 2018-07-28 · Archived: 2026-04-05 20:07:03 UTC\r\nSecurity researchers have discovered a new exploit kit, currently active mainly in Asian countries, which, they say, has been\r\nbusy spreading bootkits and cryptocurrency-mining (coinminer) malware.\r\nThis new exploit kit (EK) has been named Underminer in a report published yesterday by security firm Trend Micro. The\r\ncompany says it discovered the first clues of its existence last week, around July 17.\r\nBut fellow security firm Malwarebytes, which released an adjacent report that focused mainly on the coinminer malware\r\nspread by Underminer, says it tracked down earlier signs of this EK's activity dating back to late 2017 when it was first\r\nmentioned by Chinese security firm Qihoo 360.\r\nhttps://www.bleepingcomputer.com/news/security/new-underminer-exploit-kit-discovered-pushing-bootkits-and-coinminers/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/new-underminer-exploit-kit-discovered-pushing-bootkits-and-coinminers/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nThe EK appears to have spent quite a few months operating at a smaller scale before expanding its activity to other\r\ncountries.\r\nAccording to Trend Micro, most of the web traffic flowing into Underminer is from Japan (70%), while the rest comes from\r\nTaiwan (10%), South Korea (6%), and other countries with smaller percentages.\r\nEK uses a small number of exploits\r\nAt the technical level, the exploit kit is still small in terms of the number of exploits it deploys to infect users with malware.\r\nResearchers have spotted only three. They are:\r\nCVE-2015-5119 —a use-after-free vulnerability in Adobe Flash Player patched in July 2015\r\nCVE-2016-0189 —a memory corruption vulnerability in Internet Explorer (IE) patched in May 2016\r\nCVE-2018-4878 —a use-after-free vulnerability in Adobe Flash Player patched in February 2018\r\nNone is specific to Underminer, and all have been used by other EKs in the past, suggesting the EK authors have built their\r\noperation by copying the ones before it.\r\nUnderminer has been deploying Hidden Bee malware\r\nAs for the malware delivery mechanism used in recent campaigns, the EK has been seen using encrypted TCP tunnels to\r\ndeploy a bootkit first —for OS persistence— and then a coinminer.\r\nTrend Micro calls this coinminer \"Hidden Mellifera,\" while Malwarebytes refers to it as \"Hidden Bee,\" the same name it\r\nreceived in the Chinese infosec community last year, when it was first spotted and analyzed [1, 2].\r\nExploit kits have been on a downward trend in the past two-three years, and usually keeping an up-to-date browser and OS\r\nis enough to safeguard users from getting infected.\r\nA few new exploits pop up on the market once in a while, but all are short-lived, as they have a hard time keeping their\r\noperation at profitable levels, mainly because modern browsers are harder and harder to hack, while Flash usage has gone\r\ndown in recent years [1, 2].\r\nhttps://www.bleepingcomputer.com/news/security/new-underminer-exploit-kit-discovered-pushing-bootkits-and-coinminers/\r\nPage 3 of 5\n\nhttps://www.bleepingcomputer.com/news/security/new-underminer-exploit-kit-discovered-pushing-bootkits-and-coinminers/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/new-underminer-exploit-kit-discovered-pushing-bootkits-and-coinminers/\r\nhttps://www.bleepingcomputer.com/news/security/new-underminer-exploit-kit-discovered-pushing-bootkits-and-coinminers/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/new-underminer-exploit-kit-discovered-pushing-bootkits-and-coinminers/"
	],
	"report_names": [
		"new-underminer-exploit-kit-discovered-pushing-bootkits-and-coinminers"
	],
	"threat_actors": [],
	"ts_created_at": 1775434807,
	"ts_updated_at": 1775826779,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/222b207bb9ef5774b2cc79dd57729bf500ac172a.pdf",
		"text": "https://archive.orkl.eu/222b207bb9ef5774b2cc79dd57729bf500ac172a.txt",
		"img": "https://archive.orkl.eu/222b207bb9ef5774b2cc79dd57729bf500ac172a.jpg"
	}
}