{
	"id": "d21345f4-fa4a-4f95-be00-a4955b828935",
	"created_at": "2026-04-06T00:09:42.277636Z",
	"updated_at": "2026-04-10T03:28:21.015143Z",
	"deleted_at": null,
	"sha1_hash": "41e48ccda38dd3bcddbe5292581112d8222db9e5",
	"title": "Mimo CoinMiner and Mimus Ransomware Installed via Vulnerability Attacks - ASEC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1173229,
	"plain_text": "Mimo CoinMiner and Mimus Ransomware Installed via Vulnerability\r\nAttacks - ASEC\r\nBy ATCP\r\nPublished: 2024-01-11 · Archived: 2026-04-05 14:24:55 UTC\r\nAhnLab SEcurity intelligence Center (ASEC) recently observed circumstances of a CoinMiner threat actor called Mimo\r\nexploiting various vulnerabilities to install malware. Mimo, also dubbed Hezb, was first found when they installed\r\nCoinMiners through a Log4Shell vulnerability exploitation in March 2022.\r\nUp until now, all of the attack cases involved the installation of XMRig CoinMiner called Mimo Miner Bot in the final\r\nstage. However, there were other pertinent cases where the same threat actor installed Mimus ransomware, proxyware, and\r\nreverse shell malware besides the Mimo miner. This article will cover the various malware the Mimo threat actor used in the\r\nattacks.\r\n1. Vulnerability Exploitation\r\nThe first known activity of the Mimo threat actor was in March 2022, when CoinMiner was installed through the\r\nexploitation of the Log4Shell vulnerability (CVE-2021-44228) [1]. The threat actor exploited WSO2’s remote code\r\nexecution vulnerability (CVE-2022-29464) in May 2022 [2] and the Atlassian Confluence server’s vulnerability (CVE-2022-26134) in June 2022 [3]. In May 2023, an attack case exploiting the printer management program PaperCut’s remote\r\ncode execution vulnerability (CVE-2023–27350) was observed [4], as well as the exploitation of the Apache ActiveMQ\r\nvulnerability (CVE-2023-46604) recently.\r\nIn 2022, ASEC analyzed and revealed cases of 8220 Gang, z0Miner, and also the Mimo (Hezb) threat actor exploiting the\r\nvulnerable Atlassian Confluence server to install the XMRig CoinMiner [5]. The vulnerability used in this particular attack\r\n(CVE-2022-26134) is the remote code execution vulnerability of unpatched Atlassian Confluence servers.\r\nFigure 1. Mimo CoinMiner installed through the CVE-2022-26134 vulnerability\r\nAtlassian’s Confluence is a major collaboration platform used by many companies across the globe. Being a web-based\r\nplatform, services such as managing projects and collaboration are mainly provided by Confluence Servers (or Confluence\r\nData Centers). As it is a solution used by many companies, many vulnerabilities targeting vulnerable Confluence Servers\r\nand Data Centers have been continuously discovered, with attackers targeting systems that are not patched.\r\nCases of the Mimo threat actor exploiting the Log4Shell (CVE-2021-44228) vulnerability to install CoinMiners are still\r\nbeing found. Log4Shell (CVE-2021-44228) is a remote code execution vulnerability in the Java-based logging utility Log4j.\r\nIt allows remote execution of Java objects in servers that use Log4j by including the remote Java object address in the log\r\nmessage and sending it.\r\nhttps://asec.ahnlab.com/en/60440/\r\nPage 1 of 9\n\nSystems installed with VMware Horizon were the targets. VMware Horizon is a virtual desktop solution for remote working\r\nand operating cloud infrastructures. It seems that such systems and the Log4J in use are being attacked because VMware\r\nHorizon has not been patched.\r\nFigure 2. Mimo CoinMiner installed through the Log4Shell vulnerability\r\nRecently, there was evidence of the exploitation of the Apache ActiveMQ vulnerability (CVE-2023-46604) that was\r\nrevealed in November 2023. CVE-2023-46604 is a remote code execution vulnerability in the Apache ActiveMQ server, an\r\nopen-source messaging and integrated pattern server. If an unpatched Apache ActiveMQ server is exposed externally, the\r\nthreat actor can execute malicious commands remotely and dominate the target system.\r\nVulnerability attacks are carried out by making an instance out of the class in classpath by manipulating the serialized class\r\ntype in the OpenWire protocol. When the threat actor sends the modified packet, the vulnerable server references the path\r\n(URL) in the packet to load the class XML configuration file.\r\nFor example, a vulnerable Apache ActiveMQ’s Java process references the modified packet received and loads the XML\r\nconfiguration located in the “hxxp://102.130.112[.]157/poc-win.xml” path. Afterward, it references the loaded XML\r\nconfiguration file to run the specified command. The configuration file has a Powershell command that downloads the\r\nMimo miner.\r\nFigure 3. Apache ActiveMQ vulnerability configuration file used for the Mimo miner attack\r\n2. XMRig CoinMiner Attack Cases\r\nThe Powershell executed through the vulnerability attacks is executed by downloading the Batch malware. Recently, the\r\nnames “lnl.bat” or “kill.bat” are being used. The Batch malware disables Windows Defender and removes other CoinMiners\r\nbefore ultimately downloading and running the Batch malware called “ln.bat” or “mad.bat” in the %TEMP% path.\r\nhttps://asec.ahnlab.com/en/60440/\r\nPage 2 of 9\n\nFigure 4. Batch malware installed through vulnerability attacks\r\nThe “ln.bat” or “mad.bat” Batch malware also downloads the “dom.zip” or “dom-6.zip” compressed file and decompresses\r\nit using the 7z tool. The decompressed file has the XMRig CoinMiner “dom.exe” in charge of mining Monero coins, the\r\nNSSM tool “dsm.exe”, and the configuration file saved inside. The Batch script uses the NSSM afterwards to register\r\nXMRig as a service. Although various vulnerability attacks are being used, the routine used to install CoinMiners is fairly\r\nsimple and XMRig and NSSM tools are used without any particular changes.\r\nFigure 5. Batch malware installing the XMRig CoinMiner\r\nFigure 6. Configuration file used by the Mimo threat actor\r\nhttps://asec.ahnlab.com/en/60440/\r\nPage 3 of 9\n\nWallet Address 1:\r\n43DTEF92be6XcPj5Z7U96g4oGeebUxkFq9wyHcNTe1otM2hUrfvdswGdLHxabCSTio7apowzJJVwBZw6vVTu7NoNCNAMo\r\nWallet Address 2:\r\n46HmQz11t8uN84P8xgThrQXSYm434VC7hhNR8be4QrGtM1Wa4cDH2GkJ2NNXZ6Dr4bYg6phNjHKYJ1QfpZRBFYW5V6\r\n3. Mimus Ransomware\r\nThe majority of the Mimo threat actor’s attacks have been cases that use XMRig CoinMiner, in other words, the Mimo\r\nminer. However, ransomware attack cases were also observed in 2023. The ransomware was found at the same time and\r\nplace as the address where the Mimo miner was distributed in 2023.\r\nFigure 7. The download address of Mimo miner and Mimus ransomware\r\nRansomware that was installed with this Batch malware was made based on the source code revealed on GitHub by the\r\ndeveloper “mauri870” who developed the codes for research purposes [6]. This source code also includes an explanation\r\nthat MauriCrypt is detecting whether it is frequently being used by threat actors. In this article, the open-source ransomware\r\nis called MauriCrypt.\r\nFigure 8. The ransomware source code revealed on GitHub\r\nMauriCrypt was developed in Go, and the threat actor used this to develop ransomware and named it Mimus ransomware.\r\nMimus ransomware does not have any particular differences when compared to MauriCrypt’s source code. Only the threat\r\nactor’s C\u0026C address, wallet address, email address, and other configuration data were changed.\r\nOverview Description\r\nEncryption\r\nalgorithm\r\nAES-256 CTR\r\nhttps://asec.ahnlab.com/en/60440/\r\nPage 4 of 9\n\nEncryption\r\nextension\r\n.encrypted\r\nRansom note\r\nname\r\nREAD_TO_DECRYPT.html, FILES_ENCRYPTED.html\r\nPaths\r\nexcluded\r\nfrom\r\nencryption\r\n“ProgramData”, “Windows”, “bootmgr”, “$WINDOWS.~BT”, “Windows.old”, “Temp”,\r\n“tmp”, “Program Files”, “Program Files (x86)”, “AppData”, “$Recycle.Bin”\r\nEncrypted\r\nextensions\r\n“doc”, “docx”, “msg”, “odt”, “wpd”, “wps”, “txt”, “csv”, “pps”, “ppt”, “pptx”, “aif”,\r\n“iif”, “m3u”, “m4a”, “mid”, “mp3”, “mpa”, “wav”, “wma”, “3gp”, “3g2”, “avi”, “flv”,\r\n“m4v”, “mov”, “mp4”, “mpg”, “vob”, “wmv”, “3dm”, “3ds”, “max”, “obj”, “blend”,\r\n“bmp”, “gif”, “png”, “jpeg”, “jpg”, “psd”, “tif”, “gif”, “ico”, “ai”, “eps”, “ps”, “svg”,\r\n“pdf”, “indd”, “pct”, “epub”, “xls”, “xlr”, “xlsx”, “accdb”, “sqlite”, “dbf”, “mdb”, “pdb”,\r\n“sql”, “db”, “dem”, “gam”, “nes”, “rom”, “sav”, “bkp”, “bak”, “tmp”, “cfg”, “conf”,\r\n“ini”, “prf”, “html”, “php”, “js”, “c”, “cc”, “py”, “lua”, “go”, “java”\r\nC\u0026C URL hxxp://windows.n1tro[.]cyou:4544\r\nTable 1. Overview of the Mimus ransomware\r\nMauriCrypt randomly generates the infected system’s “id” and Advanced Encryption Standard (AES) key value “enckey”,\r\nthen connects with the C\u0026C server to send them. Mimus ransomware may be disabled, but MauriCrypt has a feature that\r\nsupports Tor in communications with the C\u0026C server. This works by downloading and installing Tor Browser to the\r\n%TEMP% path before executing it to connect to the C\u0026C server via the browser.\r\nFigure 9. Download URL for Tor\r\nAfterward, files with the specified extensions in all paths other than the exceptions are encrypted. Encrypted files have their\r\nnames encoded in Base64 and their extensions changed to “.encrypted”. When the file encryption is complete, two ransom\r\nnotes are created on the desktop. Ransom note “FILES_ENCRYPTED.html” has the list of encrypted files saved, and\r\nransom note “READ_TO_DECRYPT.html” includes the address for contact along with a Bitcoin wallet address.\r\nFigure 10. Ransom notes generated on the desktop\r\nhttps://asec.ahnlab.com/en/60440/\r\nPage 5 of 9\n\nThreat actor’s email address: arbeyceo@proton[.]me\r\nThreat actor’s Bitcoin wallet address: 15Jz1fmreZx9wG93DKjTXMhuLpPpCgvEQk\r\nWebsite to purchase decryption tool: hxxps://satoshidisk[.]com/pay/CIIRg6\r\nUpon visiting the website that sells the decryption tool, a post can be found where the decryption tool is sold for 0.01050000\r\nBTC. Although we can’t know if they are directly connected to the Mimus ransomware attack, the Bitcoin wallet’s URL\r\nshows a record of multiple transactions.\r\nFigure 11. Website that sells the decryption tool\r\n4. Proxyware\r\nAlthough the distribution method or the installed script has not been confirmed, there are records showing proxyware and\r\nreverse shell malware being downloaded from the same address around the time when the Mimo miner was distributed. In\r\nother words, it is speculated that the threat actor used proxyjacking attacks by installing proxyware in addition to using\r\nransomware attacks and coin mining to generate profits.\r\nhttps://asec.ahnlab.com/en/60440/\r\nPage 6 of 9\n\nProxyware is a program that shares a part of the Internet bandwidth that is currently available on a system to others. Users\r\nwho install the program are usually paid with a certain amount of cash in exchange for providing the bandwidth. If the threat\r\nactor secretly installs proxyware to the infected system without the user’s consent, the infected system involuntarily has its\r\nbandwidth stolen and the profit is redirected to the threat actor. This is similar to cryptojacking attacks, but CoinMiners are\r\ninstalled instead of proxyware to mine cryptocurrencies with the infected system’s resources.\r\nFigure 13. Proxyware downloaded from an address related to the Mimo miner\r\n5. NHAS Reverse Shell\r\nIn addition, reverse shell malware that uses the same address as the Mimo miner’s download address as the C\u0026C server was\r\nfound. The reverse shell used in the attack is a tool named reverse_ssh developed by “NHAS” using Go. It is available on\r\nGitHub and uses the SSH protocol to communicate with the C\u0026C server [7].\r\nFigure 14. The reverse shell’s GitHub page\r\nThe NHAS reverse shell is a reverse shell as stated in its name. Compared to other backdoor and RAT types, it only provides\r\nbasic commands such as executing commands, file handling, and port forwarding. However, having this installed means the\r\nthreat actor can generate profit simply by installing CoinMiners, proxyware, or ransomware on the infected system. In\r\naddition, control over the infected system can be stolen for additional tasks.\r\n6. Conclusion\r\nThe Mimo miner threat actor who was first discovered in early 2022 is still installing malware by exploiting vulnerabilities\r\nsuch as Log4Shell (CVE-2021-44228), WSO2’s remote code execution vulnerability (CVE-2022-29464), Atlassian\r\nhttps://asec.ahnlab.com/en/60440/\r\nPage 7 of 9\n\nConfluence server’s vulnerability (CVE-2022-26134), printer management program PaperCut’s remote code execution\r\nvulnerability (CVE-2023–27350), and Apache ActiveMQ’s vulnerability (CVE-2023-46604).\r\nPatches for all of these vulnerabilities have been released already, but because the threat actor is targeting poorly managed\r\nsystems, attacks are still continuing. System administrators must check if the services in use are vulnerable versions and\r\napply the latest patches to prevent known vulnerabilities from being exploited.\r\nThey should also use security programs such as firewalls for servers accessible from outside to restrict access by attackers.\r\nFinally, caution must be practiced by updating V3 to the latest version to block malware infection in advance.\r\nFile Detection\r\n– Downloader/BAT.CoinMiner.SC195961 (2024.01.11.02)\r\n– Downloader/BAT.CoinMiner.SC195959 (2024.01.11.02)\r\n– CoinMiner/BAT.Xmrig.SC195960 (2024.01.11.02)\r\n– CoinMiner/BAT.Xmrig.SC195962 (2024.01.11.02)\r\n– Unwanted/Win32.NSSM.R353938 (2020.10.27.00)\r\n– Trojan/Win32.RL_Miner.R363967 (2021.01.23.01)\r\n– Win-Trojan/Miner3.Exp (2020.01.23.00)\r\n– Data/JSON.Miner (2022.05.11.03)\r\n– Data/JSON.Miner (2021.12.12.00)\r\n– Downloader/BAT.CoinMiner.SC195966 (2024.01.11.02)\r\n– Downloader/BAT.CoinMiner.SC195964 (2024.01.11.02)\r\n– CoinMiner/BAT.Xmrig.SC195965 (2024.01.11.02)\r\n– CoinMiner/BAT.Xmrig.SC195963 (2024.01.11.02)\r\n– Downloader/BAT.Agent (2024.01.11.02)\r\n– Malware/Win32.Generic.C4280792 (2020.12.28.01)\r\n– Unwanted/Win.Peer2Profit.C5572495 (2024.01.11.02)\r\n– Backdoor/Win.ReverseShell.C5572514 (2024.01.11.03)\r\n– Downloader/XML.Generic (2024.01.12.00)\r\nBehavior Detection\r\n– Execution/MDP.Powershell.M1185\r\n– Connection/MDP.Event.M2367\r\nMD5\r\n1136efb1a46d1f2d508162387f30dc4d\r\n3edcde37dcecb1b5a70b727ea36521de\r\n52cef8752f2c0f9a5383d2aecbdccc6f\r\n5d32f0eee7adf20e0766d5481a1953a5\r\n5e0f18dfe16f274d34716d011e0a3f39\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//102[.]130[.]112[.]157/7za[.]exe\r\nhttp[:]//102[.]130[.]112[.]157/dom-6[.]zip\r\nhttp[:]//102[.]130[.]112[.]157/dom[.]zip\r\nhttp[:]//102[.]130[.]112[.]157/kill[.]bat\r\nhttps://asec.ahnlab.com/en/60440/\r\nPage 8 of 9\n\nhttp[:]//102[.]130[.]112[.]157/ln[.]bat\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner\r\nbelow.\r\nSource: https://asec.ahnlab.com/en/60440/\r\nhttps://asec.ahnlab.com/en/60440/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"references": [
		"https://asec.ahnlab.com/en/60440/"
	],
	"report_names": [
		"60440"
	],
	"threat_actors": [
		{
			"id": "0b8ea9bb-b729-438a-ae1f-4240db936fd7",
			"created_at": "2023-06-23T02:04:34.839947Z",
			"updated_at": "2026-04-10T02:00:04.99239Z",
			"deleted_at": null,
			"main_name": "8220 Gang",
			"aliases": [
				"8220 Mining Group",
				"Returned Libra",
				"Water Sigbin"
			],
			"source_name": "ETDA:8220 Gang",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "0409120f-2b1f-4edd-a696-75d312eb2890",
			"created_at": "2023-01-06T13:46:39.463928Z",
			"updated_at": "2026-04-10T02:00:03.337809Z",
			"deleted_at": null,
			"main_name": "Hezb",
			"aliases": [
				"Mimo"
			],
			"source_name": "MISPGALAXY:Hezb",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "942c5fbc-31df-4aef-8268-e3ccf6692ec8",
			"created_at": "2024-07-09T02:00:04.434476Z",
			"updated_at": "2026-04-10T02:00:03.671196Z",
			"deleted_at": null,
			"main_name": "Water Sigbin",
			"aliases": [
				"8220 Gang"
			],
			"source_name": "MISPGALAXY:Water Sigbin",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434182,
	"ts_updated_at": 1775791701,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/41e48ccda38dd3bcddbe5292581112d8222db9e5.pdf",
		"text": "https://archive.orkl.eu/41e48ccda38dd3bcddbe5292581112d8222db9e5.txt",
		"img": "https://archive.orkl.eu/41e48ccda38dd3bcddbe5292581112d8222db9e5.jpg"
	}
}