{ "id": "b05edb8f-0110-4ecf-941d-66467fb68eff", "created_at": "2026-04-06T00:22:33.035468Z", "updated_at": "2026-04-10T13:12:38.238107Z", "deleted_at": null, "sha1_hash": "2c1011cc5db707b1f6ee92ed2b00c67d761ac60c", "title": "Examining Water Sigbin's Infection Routine Leading to an XMRig Cryptominer", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 7790454, "plain_text": "Examining Water Sigbin's Infection Routine Leading to an XMRig\r\nCryptominer\r\nPublished: 2024-06-28 · Archived: 2026-04-05 13:38:38 UTC\r\nExploits \u0026 Vulnerabilities\r\nWe analyze the multi-stage loading technique used by Water Sigbin to deliver the PureCrypter loader and XMRIG crypto\r\nminer.\r\nBy: Ahmed Mohamed Ibrahim , Shubham Singh, Sunil Bharti Jun 28, 2024 Read time: 7 min (1939 words)\r\n \r\nSummary\r\nWater Sigbin continues to exploit CVE-2017-3506 and CVE-2023-21839 to deploy  cryptocurrency miners via a\r\nPowerShell script.\r\nThe threat actor employs fileless execution techniques, using DLL reflective and process injection, allowing the\r\nmalware code to run solely in memory and avoid disk-based detection mechanisms.\r\nThis blog entry details the multi-stage loading technique that Water Sigbin uses to deliver the PureCrypter loader and\r\nXMRig cryptocurrency miner.\r\nWater Sigbin (8220 Gang), a threat actor that focuses on deploying cryptocurrency-mining malware, has also been actively\r\ntargeting Oracle WebLogic servers. As discussed in our previous blog entry, we found the threat actor exploiting\r\nvulnerabilities in Oracle WebLogic Server, notably CVE-2017-3506 and CVE-2023-21839 to deploy cryptocurrency miners\r\nvia PowerShell scripts.\r\nIn this entry, we will examine the multi-stage loading technique used to deliver the PureCrypter loader and XMRIG crypto\r\nminer. All payloads used during this campaign are protected using .Net Reactor, a .NET code protection software, to\r\nsafeguard against reverse engineering. This protection obfuscates the code, making it difficult for defenders to understand\r\nand replicate. Additionally, it incorporates anti-debugging techniques. The payload was delivered via the exploitation of\r\nCVE-2017-3506. Figure 1 shows the attack payload we observed.\r\nFigure 1. Attack payload found during the exploitation of CVE-2017-3506\r\nhttps://www.trendmicro.com/en_us/research/24/f/water-sigbin-xmrig.html\r\nPage 1 of 17\n\nFigure 2. Water Sigbin Attack diagram\r\nTechnical analysis\r\nUpon successful exploitation of CVE-2017-3506, Water Sigbin deploys a PowerShell script on the compromised machine.\r\nThis script is responsible for decoding the first stage Base64-encoded payload (in the bin.ps1 PowerShell Script). In this\r\ncase, the script we analyzed was not as complicated as the one we observed in earlier attacks.\r\nFigure 3. The PowerShell Script drops, decodes, and executes the loader\r\nThe malware drops the initial stage loader in the temporary directory under the name wireguard2-3.exe and then executes it.\r\nThe malware impersonates the legitimate VPN application WireGuard to deceive users and AV engines into believing it is\r\ngenuine software.\r\nhttps://www.trendmicro.com/en_us/research/24/f/water-sigbin-xmrig.html\r\nPage 2 of 17\n\nFigure 4. File properties\r\nFile name SHA256 Size Type\r\nwireguard2-\r\n3.exe\r\nf4d11b36a844a68bf9718cf720984468583efa6664fc99966115a44b9a20aa33\r\n5.82 MB\r\n(6102016\r\nbytes)\r\nEXE\r\nTable 1. First stage loader details\r\nThe wireguard2-3.exe file is a trojan loader that decrypts, maps, and executes a second-stage payload in memory.  The\r\nloader dynamically retrieves, loads, and executes another binary from the specified resource\r\nChgnic.Properties.Resources.resources (named Qtyocccmt), which ultimately resolves to Zxpus.dll. By using reflective DLL\r\ninjection for in-memory execution, the malware significantly enhances its ability to evade detection and effectively carry out\r\nits malicious activities.\r\nhttps://www.trendmicro.com/en_us/research/24/f/water-sigbin-xmrig.html\r\nPage 3 of 17\n\nFigure 5. The loader dynamically retrieves, loads, and executes Zxpus.dll\r\nFile\r\nname\r\nSHA256 Size Type\r\nZxpus.dll 0bf87b0e65713bf35c8cf54c9fa0015fa629624fd590cb4ba941cd7cdeda8050\r\n2.7 MB (2859008\r\nbytes)\r\nDLL\r\nTable 2. Second stage loader details\r\nThe DLL is another trojan loader that dynamically retrieves a binary named Vewijfiv from its resources and decrypts it using\r\nthe AES encryption algorithm with a specified key and IV. The decrypted payload is then decompressed using GZip. After\r\ndecompression, the payload is deserialized using protobuf-net, revealing the loader's configuration. This configuration\r\nincludes details such as the process name to be created and the next stage payload in encrypted format. \r\nAES Key AES IV\r\n5D8D6871C3D59D855616603F686713AC48BF2351F6182EA282E1D84CBB15B94F CAAD009AC0881FE2A89F80CEEA6D1B6\r\nTable 3. The binary AES key and AES IV\r\nhttps://www.trendmicro.com/en_us/research/24/f/water-sigbin-xmrig.html\r\nPage 4 of 17\n\nFigure 6. Zxpus.dll main function\r\nFigure 7. Zxpus.dll decrypts the configuration resource file named “Vewijfiv” using the AES encryption\r\nalgorithm\r\nFigure 8. Zxpus.dll decompresses the configuration using GZIP compression\r\nhttps://www.trendmicro.com/en_us/research/24/f/water-sigbin-xmrig.html\r\nPage 5 of 17\n\nThe loader creates a new process named cvtres.exe in the path\r\nC:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\cvtres.exe to impersonate a legitimate process. It then uses process\r\ninjection to load the next stage payload into memory and start the new process.\r\nFigure 9. Zxpus.dll creating the cvtres.exe process\r\nNext, the loader passes the execution to the cvtres.exe process, which will be used to load the PureCrypter loader.\r\nFile\r\nname\r\nSHA256 Size Type\r\ncvtres.exe b380b771c7f5c2c26750e281101873772e10c8c1a0d2a2ff0aff1912b569ab93\r\n700.5 KB\r\n(717312 bytes)\r\nEXE\r\nTable 4. Third stage loader details\r\nAt this stage, the malware decompresses another DLL file using Gzip, then loads the DLL and invokes its main function.\r\nThe final DLL payload is the PureCrypter loader version V6.0.7D, which registers the victim with the command-and-control\r\n(C\u0026C) server and downloads the final payload, which includes the XMRig cryptocurrency miner.\r\nhttps://www.trendmicro.com/en_us/research/24/f/water-sigbin-xmrig.html\r\nPage 6 of 17\n\nFigure 10. Loading and executing the PureCrypter Loader (Tixrgtluffu.dll) using cvtres.exe\r\nFile name SHA256 Size Type\r\nTixrgtluffu.dll 2e32c5cea00f8e4c808eae806b14585e8672385df7449d2f6575927537ce8884\r\n1018.0 KB\r\n(1042432\r\nbytes)\r\nDLL\r\nTable 5. Details of the PureCrypter loader\r\nUpon execution, the malware decodes its configuration, which contains the mutex value, C\u0026C server Information, and\r\nmore. Furthermore, the malware employs a mutex name (6cbe41284f6a992cc0534b) to ensure that only one instance is\r\nrunning simultaneously.\r\nThe following is a sample of the malware configuration:\r\nConfiguration Description\r\n89.185.85.102 C\u0026C IP address\r\ngod.sck-dns.cc C\u0026C domain name\r\namad Unknown \r\n6cbe41284f6a992cc0534b2 Mutex value\r\nIsSynchronized Task name/Filename used for Persistence\r\nName Persistence/Registry directory name\r\nTable 6. Malware configuration\r\nhttps://www.trendmicro.com/en_us/research/24/f/water-sigbin-xmrig.html\r\nPage 7 of 17\n\nFigure 11. ThePureCrypter loader main function\r\nThe malware can create a scheduled task with the highest privilege that runs 15 seconds after creation and then runs at\r\nrandom intervals between 180 to 360 seconds (approximately 6 minutes) to achieve persistence.\r\nThe malware replicates itself as a hidden file named IsSynchronized.exe under the hidden path\r\nC:\\Users\\$USERNAME$\\AppData\\Roaming\\Name\\. The task is registered under the Microsoft\\Windows\\Name folder and is\r\nconfigured to run upon system startup or user login.\r\nFigure 12. PureCrypter creates a scheduled task for persistence\r\nhttps://www.trendmicro.com/en_us/research/24/f/water-sigbin-xmrig.html\r\nPage 8 of 17\n\nFigure 13. Scheduled task properties\r\nIn addition, the malware can create a hidden scheduled task with a random task name that executes a PowerShell command.\r\nThis command adds malware specific files and processes to the Windows Defender's exclusion list.\r\nFigure 14. PureCrypter creating a scheduled task for Windows Defender exclusion\r\nThe Base64-econded PowerShell command is as follows:\r\nPowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGU[...\r\nbase64 encoded characters ...] aQB6AGUAZAAuAGUAeABlAA==\r\nMeanwhile, its decoded value is:\r\nhttps://www.trendmicro.com/en_us/research/24/f/water-sigbin-xmrig.html\r\nPage 9 of 17\n\nAdd-MpPreference -ExclusionPath C:\\Users\\ $USERNAME$\r\n\\AppData\\Roaming\\Name\\IsSynchronized.exe,C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\AddInProcess.exe -\r\nForce;\r\nAdd-MpPreference -ExclusionProcess\r\nC:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\AddInProcess.exe,C:\\Users\\$USERNAME$\\AppData\\Roaming\\Name\\IsSynchroni\r\nNext, the malware attempts to establish a connection with its C\u0026C server at 89.185.85[.]102:9091. For each victim, the\r\nmalware generates a unique identifier based on collected hardware information, stores it in a specific format and encrypts it\r\nusing MD5.\r\nThe following is the format of the collected data.\r\n[Processor ID]-[Disk Drive Signature]-[Disk Drive Serial Number]- [Baseboard Serial Number]-[Model or Name of GPU]-\r\n[Username]\r\nThe following code snippet shows the collection of the aforementioned information:\r\nFigure 15. PureCrypter generates a victim ID from system information\r\nAdditionally, the malware collects system information, which includes usernames, installed antivirus software, and CPU\r\ninformation, using Windows Management Instrumentation (WMI) queries. This information is stored in an object class,\r\nserialized into a byte sequence, and then encrypted using the TripleDES symmetric-key encryption algorithm. The\r\nencryption key is derived from the MD5 hash of the mutex value (6cbe41284f6a992cc0534b). Subsequently, the encrypted\r\ndata is sent to the C\u0026C server.\r\nhttps://www.trendmicro.com/en_us/research/24/f/water-sigbin-xmrig.html\r\nPage 10 of 17\n\nFigure 16. PureCrypter Initializes connection with the C\u0026C server and collects system information\r\nFigure 17. PureCrypter retrieves installed AV using WMI query\r\nFigure 18. PureCrypter sends encrypted collected data to the C2 server\r\nThe following code snippet illustrates the initial encrypted request containing system information:\r\nhttps://www.trendmicro.com/en_us/research/24/f/water-sigbin-xmrig.html\r\nPage 11 of 17\n\nFigure 19. Initial encrypted request\r\nMeanwhile, the following code snippet  illustrates the initial decrypted request:\r\nFigure 20. Initial decrypted request\r\nUpon successful registration with the C\u0026C server, the C\u0026C server responds with an encrypted message containing the\r\nXMRig configuration details, such as the process’s parameters, the mining pooling server, process name, among others. This\r\nresponse is then stored in a registry key.\r\nThe code snippet in Figure 21 illustrates the encrypted response, while Figure 22 shows the decrypted content of the\r\nresponse.\r\nFigure 21. Encrypted response\r\nhttps://www.trendmicro.com/en_us/research/24/f/water-sigbin-xmrig.html\r\nPage 12 of 17\n\nFigure 22. Decrypted response\r\nThe malware stores the decrypted response in a registry key under the subkey path HKEY_CURRENT_USER\\SOFTWARE\\\r\n\u003cVictim ID\u003e. The name of the key is the MD5 hash of the Victim ID.\r\nFigure 23. The XMRig configuration stored in the registry key\r\nFollowing the receipt of the initial response from the C\u0026C server, the malware downloads an encrypted file named\r\nplugin3.dll, and saves it in a registry key named after the MD5 hash of the retrieved file.\r\nFigure 24. PureCrypter downloads Plugin3.dll, which is the final XMRig Payload\r\nhttps://www.trendmicro.com/en_us/research/24/f/water-sigbin-xmrig.html\r\nPage 13 of 17\n\nFigure 25. Downloading plugin3.dll (XMRig payload)\r\nFigure 26. Content of plugin3.dll in the registry key\r\nThe malware proceeds to decrypt the response using the TripleDES algorithm and decompresses it with Gzip.\r\nNext, the loader creates a new process named AddinProcess.exe to impersonate a legitimate process. It then uses process\r\ninjection to load the XMRig payload into memory and starts the new process.\r\nhttps://www.trendmicro.com/en_us/research/24/f/water-sigbin-xmrig.html\r\nPage 14 of 17\n\nFigure 27. Creating the “AddinProcess.exe” process that hosts the XMRig miner\r\nFigure 28. Writing the XMRig payload within the “AddinProcess.exe” process and running it\r\nThe final payload is XMRig, a popular open-source mining software that supports multiple operating systems. It  has been\r\ndelivered via the Purecrypter loader through the exploitation of Oracle WebLogic vulnerabilities. XMRig sends a mining\r\nlogin request to a mining pool URL “217.182.205[.]238:8080” and a wallet address\r\n“ZEPHYR2xf9vMHptpxP6VY4hHwTe94b2L5SGyp9Czg57U8DwRT3RQvDd37eyKxoFJUYJvP5ivBbiFCAMyaKWUe9aPZzuNoDXYT\r\nThe following image shows a login request sent by XMRig:\r\nFigure 29. XMRig login request\r\nRecommendations\r\nOrganizations can protect systems and networks against the exploitation of vulnerabilities by implementing the following\r\ncybersecurity best practices and proactive defense measures:\r\nRegularly update and patch systems and software\r\n    Keep operating systems, applications, and systems firmware up to date with the latest security patches.\r\nImplement robust access controls\r\n    Ensure that users and applications only have the minimum level of access necessary to perform their tasks.\r\n    Use strong authentication methods such as multi-factor authentication (MFA).\r\nConduct regular security assessments\r\n    Regularly scan networks and systems for vulnerabilities.\r\nConduct security awareness training\r\nhttps://www.trendmicro.com/en_us/research/24/f/water-sigbin-xmrig.html\r\nPage 15 of 17\n\nContinuously educate employees on relevant security best practices.\r\n  \r\nTrend solutions\r\nThe following Vision One execution profile shows the major actives performed via the wireguard2-3.exe binary.\r\nFigure 30. Vision One RCA graph\r\nFigure 31. Workbench detection\r\nThe following text lists potentially useful queries for threat hunting within Vision One:\r\n processName:\"*Microsoft.NET\\Framework64*\" AND objectCmd:\"*--cpu-max-threads-hint*\"\r\nF8044 - Temporary Binary File Execution via PowerShell\r\nF2269 - File Delivery via PowerShell\r\nF4193 - Executable Binary in PowerShell Memory\r\nF8404 - Cross-Process Injection via CreateRemoteThread\r\n[Heuristic Attribute] Potential Information Gathering Behavior\r\nCryptocurrency Mining Command Execution\r\nPotential Malicious PowerShell Activity Detected\r\nMeanwhile, these protections exist to detect malicious activity and shield Trend customers from the attack discussed in this\r\nblog entry:\r\nhttps://www.trendmicro.com/en_us/research/24/f/water-sigbin-xmrig.html\r\nPage 16 of 17\n\n1010550 - Oracle WebLogic WLS Security Component Remote Code Execution Vulnerability (CVE-2017-3506)\r\n1011716 - Oracle Weblogic Server Insecure Deserialization Vulnerability (CVE-2023-21839)\r\nConclusion\r\nThe Water Sigbin  (aka 8220 Gang) threat actor has demonstrated a sophisticated multistage loading technique used to\r\ndeliver the XMRIG crypto miner, showcasing its expertise and use advanced tactics and techniques. By exploiting Oracle\r\nWebLogic server vulnerabilities, deploying cryptocurrency miners, and employing anti-debugging measures such as code\r\nobfuscation and .Net Reactor protection, this threat actor highlights its ability to evade detection and compromise systems.\r\nThis campaign emphasizes the importance of robust security measures and vigilance in monitoring new threats.\r\nIndicators of Compromise\r\nThe indicators of compromise can be found here.\r\nMITRE ATT\u0026CK Techniques\r\nTactic Technique Technique ID\r\nInitial Access Exploit Public-Facing Application T1190\r\nExecution  \r\nCommand and Scripting Interpreter: PowerShell T1059.001\r\nWindows Management Instrumentation T1047\r\nDefense Evasion  \r\nMasquerading: Match Legitimate Name or Location T1036.005\r\nDeobfuscate/Decode Files or Information T1140\r\nModify Registry T1112\r\nImpair Defenses: Disable or Modify Tools T1562.001\r\nReflective Code Loading T1620\r\nProcess Injection: Process Hollowing T1055.012\r\nPersistence Scheduled Task/Job: Scheduled Task T1053.005\r\nDiscovery\r\nProcess Discovery T1057\r\nQuery Registry T1012\r\nSoftware Discovery: Security Software Discovery T1518.001\r\nSystem Information Discovery T1082\r\nCommand and Control\r\nApplication Layer Protocol T1071\r\nData Obfuscation T1001\r\nNon-Standard Port T1571\r\nNon-Application Layer Protocol T1095\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/24/f/water-sigbin-xmrig.html\r\nhttps://www.trendmicro.com/en_us/research/24/f/water-sigbin-xmrig.html\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA", "MISPGALAXY" ], "origins": [ "web" ], "references": [ "https://www.trendmicro.com/en_us/research/24/f/water-sigbin-xmrig.html" ], "report_names": [ "water-sigbin-xmrig.html" ], "threat_actors": [ { "id": "0b8ea9bb-b729-438a-ae1f-4240db936fd7", "created_at": "2023-06-23T02:04:34.839947Z", "updated_at": "2026-04-10T02:00:04.99239Z", "deleted_at": null, "main_name": "8220 Gang", "aliases": [ "8220 Mining Group", "Returned Libra", "Water Sigbin" ], "source_name": "ETDA:8220 Gang", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "942c5fbc-31df-4aef-8268-e3ccf6692ec8", "created_at": "2024-07-09T02:00:04.434476Z", "updated_at": "2026-04-10T02:00:03.671196Z", "deleted_at": null, "main_name": "Water Sigbin", "aliases": [ "8220 Gang" ], "source_name": "MISPGALAXY:Water Sigbin", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434953, "ts_updated_at": 1775826758, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2c1011cc5db707b1f6ee92ed2b00c67d761ac60c.pdf", "text": "https://archive.orkl.eu/2c1011cc5db707b1f6ee92ed2b00c67d761ac60c.txt", "img": "https://archive.orkl.eu/2c1011cc5db707b1f6ee92ed2b00c67d761ac60c.jpg" } }