{
	"id": "de49244c-65a1-43ca-b63f-45d65ba76045",
	"created_at": "2026-04-06T00:14:39.977139Z",
	"updated_at": "2026-04-10T03:24:29.368194Z",
	"deleted_at": null,
	"sha1_hash": "4457f7bc87588940be72a97ed3b4d501347648cc",
	"title": "ESET researchers disrupt cryptomining botnet VictoryGate",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 38944,
	"plain_text": "ESET researchers disrupt cryptomining botnet VictoryGate\r\nArchived: 2026-04-05 17:57:46 UTC\r\nBRATISLAVA, BUENOS AIRES – ESET researchers have recently discovered a previously undocumented\r\nbotnet named VictoryGate. It has been active since at least May 2019, and is composed mainly of devices in Peru,\r\nwhere over 90% of the infected devices are located. The main activity of the botnet is mining Monero\r\ncryptocurrency. The victims include organizations in both public and private sectors, including financial\r\ninstitutions. Thanks to data obtained during this research and shared with the nonprofit Shadowserver Foundation,\r\nat least a portion of the botnet operation has been disrupted.\r\nESET researchers have been “sinkholing”  several domain names that control the botnet’s actions, replacing them\r\nwith machines that do not send the botnet’s slave computers the commands they expect, but simply monitor botnet\r\nactivity. Based on this data and ESET telemetry, ESET estimates that at least 35,000 devices became infected with\r\nVictoryGate at one point or another during this campaign.\r\nThe only infection vector used for spreading VictoryGate is via removable devices. “The victim receives a USB\r\ndrive that at some point was connected to an infected machine. It seemingly has all the files with the same names\r\nand icons that it contained before being infected. Because of this, the content will look almost identical at first\r\nglance. However, all the original files were replaced by a copy of the malware,” says ESET researcher Alan\r\nWarburton, who investigated the botnet. “When an unsuspecting user attempts to open one of these files, the script\r\nwill open both the file that was intended and the malicious payload.” \r\nWarburton also warns about the impact on victims’ machines: “There is very high resource usage by the botnet,\r\nresulting in a constant 90% to 99% CPU load. This slows down the device and can cause overheating and possible\r\ndamage.”\r\nAccording to ESET research, VictoryGate has made a much greater effort to avoid detection than in previous,\r\nsimilar campaigns observed in the Latam region. And, given the fact that the botmaster can update functionality of\r\nthe payloads that are downloaded and executed on the infected devices from cryptomining to any other malicious\r\nactivities at any given time, this poses a considerable risk. This is particularly true since many of the victims\r\nidentified were in either the public sector or in financial institutions.\r\nIf you suspect your device may have been infected with this malware, you can use our free ESET Online Scanner\r\nto clean your machine. The first-stage module is detected by ESET security products as MSIL/VictoryGate.\r\nFor more technical details about the VictoryGate botnet, read the blogpost Following ESET’s discovery, a Monero\r\nmining botnet is disrupted on WeLiveSecurity. Make sure to follow ESET research on Twitter for the latest news\r\nfrom ESET Research.\r\nAbout ESET\r\nFor more than 30 years, ESET® has been developing industry-leading IT security software and services for\r\nhttps://www.eset.com/int/about/newsroom/press-releases/research/eset-researchers-disrupt-cryptomining-botnet-victorygate/\r\nPage 1 of 2\n\nbusinesses and consumers worldwide. With solutions ranging from endpoint and mobile security to encryption and\r\ntwo-factor authentication, ESET’s high-performing, easy-to-use products give consumers and businesses the peace\r\nof mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating\r\ndefenses in real time to keep users safe and businesses running without interruption. Evolving threats require an\r\nevolving IT security company. Backed by R\u0026D centers worldwide, ESET is the first IT security company to\r\nearn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since\r\n2003. For more information, visit www.eset.com or follow us on LinkedIn, Facebook, and Twitter.\r\nSource: https://www.eset.com/int/about/newsroom/press-releases/research/eset-researchers-disrupt-cryptomining-botnet-victorygate/\r\nhttps://www.eset.com/int/about/newsroom/press-releases/research/eset-researchers-disrupt-cryptomining-botnet-victorygate/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.eset.com/int/about/newsroom/press-releases/research/eset-researchers-disrupt-cryptomining-botnet-victorygate/"
	],
	"report_names": [
		"eset-researchers-disrupt-cryptomining-botnet-victorygate"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434479,
	"ts_updated_at": 1775791469,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4457f7bc87588940be72a97ed3b4d501347648cc.pdf",
		"text": "https://archive.orkl.eu/4457f7bc87588940be72a97ed3b4d501347648cc.txt",
		"img": "https://archive.orkl.eu/4457f7bc87588940be72a97ed3b4d501347648cc.jpg"
	}
}