{
	"id": "86a5819a-8dd6-4071-8a76-4ef4d9a70782",
	"created_at": "2026-04-06T00:09:49.376806Z",
	"updated_at": "2026-04-10T03:20:24.79068Z",
	"deleted_at": null,
	"sha1_hash": "4aae31ed38dff539d97413b0658f7183e512d38b",
	"title": "Invisible miners: unveiling GHOSTENGINE’s crypto mining operations",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 6988668,
	"plain_text": "Invisible miners: unveiling GHOSTENGINE’s crypto mining operations\r\nBy Salim Bitam, Samir Bousseaden, Terrance DeJesus, Andrew Pease\r\nPublished: 2024-05-22 · Archived: 2026-04-05 16:44:31 UTC\r\nPreamble\r\nElastic Security Labs has identified an intrusion set incorporating several malicious modules and leveraging vulnerable\r\ndrivers to disable known security solutions (EDRs) for crypto mining. Additionally, the team discovered capabilities to\r\nestablish persistence, install a previously undocumented backdoor, and execute a crypto-miner. We refer to this intrusion set\r\nas REF4578 and the primary payload as GHOSTENGINE (tangental research by the team at Antiy has named parts of this\r\nintrusion set HIDDENSHOVEL).\r\nKey takeaways\r\nMalware authors incorporated many contingency and duplication mechanisms\r\nGHOSTENGINE leverages vulnerable drivers to terminate and delete known EDR agents that would likely interfere\r\nwith the deployed and well-known coin miner\r\nThis campaign involved an uncommon amount of complexity to ensure both the installation and persistence of the\r\nXMRIG miner\r\nCode analysis\r\nREF4578 execution flow\r\nOn May 6, 2024, at 14:08:33 UTC, the execution of a PE file named Tiworker.exe (masquerading as the legitimate\r\nWindows TiWorker.exe file) signified the beginning of the REF4578 intrusion. The following alerts were captured in\r\ntelemetry, indicating a known vulnerable driver was deployed.\r\nREF4578 executes Tiworker to start the infection chain\r\nUpon execution, this file downloads and executes a PowerShell script that orchestrates the entire execution flow of the\r\nintrusion. Analysis revealed that this binary executes a hardcoded PowerShell command line to retrieve an obfuscated script,\r\nget.png, which is used to download further tools, modules, and configurations from the attacker C2– as depicted in the\r\nscreenshot below.\r\nDownloading get.png\r\nhttps://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine\r\nPage 1 of 11\n\nGHOSTENGINE\r\nGHOSTENGINE is responsible for retrieving and executing modules on the machine. It primarily uses HTTP to download\r\nfiles from a configured domain, with a backup IP in case domains are unavailable. Additionally, it employs FTP as a\r\nsecondary protocol with embedded credentials. The following is a summary of the execution flow:\r\nThe get.png PowerShell script\r\nThis script downloads and executes clearn.png , a component designed to purge the system of remnants from prior\r\ninfections belonging to the same family but different campaign; it removes malicious files under C:\\Program Files\\Common\r\nFiles\\System\\ado and C:\\PROGRA~1\\COMMON~1\\System\\ado\\ and removes the following scheduled tasks by name:\r\nMicrosoft Assist Job\r\nSystem Help Center Job\r\nSystemFlushDns\r\nSystemFlashDnsSrv\r\nEvidence of those scheduled task artifacts may be indicators of a prior infection.\r\nclearn.png removing any infections from previous campaigns\r\nDuring execution, it attempts to disable Windows Defender and clean the following Windows event log channels:\r\nApplication\r\nSecurity\r\nSetup\r\nSystem\r\nForwarded Events\r\nMicrosoft-Windows-Diagnostics-Performance\r\nMicrosoft-Windows-AppModel-Runtime/Operational\r\nMicrosoft-Windows-Winlogon/Operational\r\nhttps://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine\r\nPage 2 of 11\n\nget.png clearing Windows log channels\r\nget.png disables Windows Defender, enables remote services, and clears the contents of:\r\nC:\\Windows\\Temp\\\r\nC:\\Windows\\Logs\\\r\nC:\\$Recycle.Bin\\\r\nC:\\windows\\ZAM.krnl.trace\r\nget.png disabling Windows Defender and enabling remote services\r\nget.png also verifies that the C:\\ volume has at least 10 MB of free space to download files, storing them in\r\nC:\\Windows\\Fonts . If not, it will try to delete large files from the system before looking for another suitable volume with\r\nsufficient space and creating a folder under $RECYCLE.BIN\\Fonts .\r\nTo get the current DNS resolution for the C2 domain names, GHOSTENGINE uses a hardcoded list of DNS servers,\r\n1.1.1.1 and 8.8.8.8 .\r\nNext, to establish persistence, get.png creates the following scheduled tasks as SYSTEM :\r\nOneDriveCloudSync using msdtc to run the malicious service DLL C:\\Windows\\System32\\oci.dll every 20\r\nminutes (described later)\r\nDefaultBrowserUpdate to run C:\\Users\\Public\\run.bat, which downloads the get.png script and executes it\r\nevery 60 minutes\r\nOneDriveCloudBackup to execute C:\\Windows\\Fonts\\smartsscreen.exe every 40 minutes\r\nScheduled tasks for persistence\r\nget.png terminates all curl.exe processes and any PowerShell process with *get.png* in its command line, excluding\r\nthe current process. This is a way to terminate any concurrently running instance of the malware.\r\nThis script then downloads config.txt , a JSON file containing the hashes of the PE files it retrieved. This file verifies\r\nwhether any updated binaries are to be downloaded by checking the hashes of the previously downloaded files from any past\r\ninfections.\r\nhttps://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine\r\nPage 3 of 11\n\nconfig.txt file used to check for updated binaries\r\nFinally, get.png downloads all of its modules and various PE files. Below is a table containing a description of each\r\ndownloaded file:\r\npath Type Description\r\nC:\\Windows\\System32\\drivers\\aswArPots.sys\r\nKernel\r\ndriver\r\nVulnerable driver from Avast\r\nC:\\Windows\\System32\\drivers\\IObitUnlockers.sys\r\nKernel\r\ndriver\r\nVulnerable driver from IObit\r\nC:\\Windows\\Fonts\\curl.exe\r\nPE\r\nexecutable\r\nUsed to download files via cURL\r\nC:\\Windows\\Fonts\\smartsscreen.exe\r\nPE\r\nexecutable\r\nCore payload (GHOSTENGINE), its main\r\npurpose is to deactivate security\r\ninstrumentation, complete initial infection, and\r\nexecute the miner.\r\nC:\\Windows\\System32\\oci.dll\r\nService\r\nDLL\r\nPersistence/updates module\r\nbackup.png\r\nPowershell\r\nscript\r\nBackdoor module\r\nkill.png\r\nPowershell\r\nscript\r\nA PowerShell script that injects and executes a\r\nPE file responsible for killing security sensors\r\nGHOSTENGINE modules\r\nGHOSTENGINE deploys several modules that can tamper with security tools, create a backdoor, and check for software\r\nupdates.\r\nEDR agent controller and miner module: smartsscreen.exe\r\nThis module primarily terminates any active EDR agent processes before downloading and installing a crypto-miner.\r\nhttps://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine\r\nPage 4 of 11\n\nsmartscreen.exe GHOSTENGINE module\r\nThe malware scans and compares all the running processes with a hardcoded list of known EDR agents. If there are any\r\nmatches, it first terminates the security agent by leveraging the Avast Anti-Rootkit Driver file aswArPots.sys with the\r\nIOCTL 0x7299C004 to terminate the process by PID.\r\nsmartscreen.exe is then used to delete the security agent binary with another vulnerable driver, iobitunlockers.sys\r\nfrom IObit, with the IOCTL 0x222124 .\r\nsmartscreen.exe then downloads the XMRig client mining program ( WinRing0x64.png ) from the C2 server as\r\ntaskhostw.png . Finally, it executes XMRig, its drivers, and the configuration file config.json , starting the mining\r\nprocess.\r\nsmartscreen.exe executing XMRig\r\nUpdate/Persistence module: oci.dll\r\nThe PowerShell script creates a service DLL ( oci.dll ), a phantom DLL loaded by msdtc . The DLL's architecture varies\r\ndepending on the machine; it can be 32-bit or 64-bit. Its primary function is to create system persistence and download any\r\nupdates from the C2 servers by downloading the get.png script from the C2 and executing it.\r\noci.dll persistence/update mechanism\r\nEvery time the msdtc service starts, it will load oci.dll to spawn the PowerShell one-liner that executes get.png :\r\noci.dll downloading and executing get.png\r\nEDR agent termination module: kill.png\r\nkill.png is a PowerShell script that injects shellcode into the current process, decrypting and loading a PE file into\r\nmemory.\r\nhttps://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine\r\nPage 5 of 11\n\nkill.png injecting shellcode\r\nThis module is written in C++, and the authors have integrated redundancy into its operation. This redundancy is evident in\r\nthe replication of the technique used in smartsscreen.exe to terminate and delete EDR agent binaries; it continuously\r\nscans for any new processes.\r\nkill.png hardcoded security agent monitoring list\r\nPowershell backdoor module: backup.png\r\nThe PowerShell script functions like a backdoor, enabling remote command execution on the system. It continually sends a\r\nBase64-encoded JSON object containing a unique ID, derived from the current time and the computer name while awaiting\r\nbase64-encoded commands. The results of those commands are then sent back.\r\nbackup.png operating as a backdoor\r\nIn this example eyJpZCI6IjE3MTU2ODYyNDA3MjYyNiIsImhvc3QiOiJhbmFseXNpcyJ9 is the Base64-encoded JSON object:\r\nC2 Communication example of backup.png\r\n$ echo \"eyJpZCI6IjE3MTU2ODYyNDA3MjYyNiIsImhvc3QiOiJhbmFseXNpcyJ9\" | base64 -D\r\n{\"id\":\"171568624072626\",\"host\":\"analysis\"}\r\nMiner configuration\r\nXMRig is a legitimate crypto miner, and they have documented the configuration file usage and elements here. As noted at\r\nthe beginning of this publication, the ultimate goal of the REF4578 intrusion set was to gain access to an environment and\r\ndeploy a persistent Monero crypto miner, XMRig.\r\nhttps://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine\r\nPage 6 of 11\n\nWe extracted the configuration file from the miner, which was tremendously valuable as it allowed us to report on the\r\nMonero Payment ID and track the worker and pool statistics, mined cryptocurrency, transaction IDs, and withdrawals.\r\nBelow is an excerpt from the REF4578 XMRig configuration file:\r\n{\r\n \"autosave\": false,\r\n \"background\": true,\r\n \"colors\": true,\r\n...truncated...\r\n \"donate-level\": 0,\r\n \"donate-over-proxy\": 0,\r\n \"pools\": [\r\n {\r\n \"algo\": \"rx/0\",\r\n \"coin\": \"monero\",\r\n \"url\": \"pool.supportxmr[.]com:443\",\r\n \"user\": \"468ED2Qcchk4shLbD8bhbC3qz2GFXqjAUWPY3VGbmSM2jfJw8JpSDDXP5xpkMAHG98FHLmgvSM6ZfUqa9gvArUWP59tEd3f\",\r\n \"keepalive\": true,\r\n \"tls\": true\r\n...truncated...\r\n \"user-agent\": \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safar\r\n \"verbose\": 0,\r\n \"watch\": true,\r\n \"pause-on-battery\": false,\r\n \"pause-on-active\": false\r\n}\r\nMonero Payment ID\r\nMonero is a blockchain cryptocurrency focusing on obfuscation and fungibility to ensure anonymity and privacy. The\r\nPayment ID is an arbitrary and optional transaction attachment that consists of 32 bytes (64 hexadecimal characters) or 8\r\nbytes (in the case of integrated addresses).\r\nUsing the Payment ID from the above configuration excerpt\r\n( 468ED2Qcchk4shLbD8bhbC3qz2GFXqjAUWPY3VGbmSM2jfJw8JpSDDXP5xpkMAHG98FHLmgvSM6ZfUqa9gvArUWP59tEd3f ) we can view\r\nthe worker and pool statistics on one of the Monero Mining Pool sites listed in the configuration.\r\nWorker and pool statistics of the REF4578 Payment ID\r\nhttps://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine\r\nPage 7 of 11\n\nAdditionally, we can see the transaction hashes, which we can look up on the Monero blockchain explorer. Note that while\r\ntransactions date back four months ago, this only indicates the potential monetary gain by this specific worker and account.\r\nPayments for the REF4578 Payment ID\r\nUsing the Blockchain Explorer and one of the transaction hashes we got from the Payment ID, we can see the public key, the\r\namount is withdrawn, and when. Note that these public keys are used with one-time addresses, or stealth addresses that the\r\nadversary would then use a private key with to unlock the funds.\r\nTransactions for the REF4578 Payment ID\r\nIn the above example for transaction 7c106041de7cc4c86cb9412a43cb7fc0a6ad2c76cfdb0e03a8ef98dd9e744442 we can see\r\nthat there was a withdrawal of 0.109900000000 XMR (the abbreviation for Monero) totaling $14.86 USD. The Monerao\r\nMining Pool site shows four transactions of approximately the same amount of XMR, totaling approximately $60.70 USD\r\n(January - March 2024).\r\nAs of the publication of this research, there are still active miners connected to the REF4578 Payment ID.\r\nMiners actively connecting to the REF4578 Payment ID\r\nWhile this specific Payment ID does not appear to be a big earner, it is evident that REF4578 could operate this intrusion set\r\nsuccessfully. Other victims of this campaign could have different Payment IDs used to track intrusions, which could be\r\ncombined for a larger overall haul.\r\nMalware and MITRE ATT\u0026CK\r\nElastic uses the MITRE ATT\u0026CK framework to document common tactics, techniques, and procedures that threats use\r\nagainst enterprise networks.\r\nTactics\r\nhttps://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine\r\nPage 8 of 11\n\nTactics represent the why of a technique or sub-technique. It is the adversary’s tactical goal: the reason for performing an\r\naction.\r\nExecution\r\nPersistence\r\nDefense Evasion\r\nDiscovery\r\nCommand and Control\r\nExfiltration\r\nImpact\r\nTechniques\r\nTechniques represent how an adversary achieves a tactical goal by performing an action.\r\nCommand and Scripting Interpreter: PowerShell\r\nCommand and Scripting Interpreter: Windows Command Shell\r\nScheduled Task/Job: Scheduled Task\r\nIndicator Removal: Clear Windows Event Logs\r\nMasquerading\r\nProcess Injection\r\nProcess Discovery\r\nExfiltration Over C2 Channel\r\nData Encoding\r\nResource Hijacking\r\nService Stop\r\nMitigating GHOSTENGINE\r\nDetection\r\nThe first objective of the GHOSTENGINE malware is to incapacitate endpoint security solutions and disable specific\r\nWindows event logs, such as Security and System logs, which record process creation and service registration. Therefore, it\r\nis crucial to prioritize the detection and prevention of these initial actions:\r\nSuspicious PowerShell execution\r\nExecution from unusual directories\r\nElevating privileges to system integrity\r\nDeploying vulnerable drivers and establishing associated kernel mode services.\r\nOnce the vulnerable drivers are loaded, detection opportunities decrease significantly, and organizations must find\r\ncompromised endpoints that stop transmitting logs to their SIEM.\r\nNetwork traffic may generate and be identifiable if DNS record lookups point to known mining pool domains over well-known ports such as HTTP ( 80 ) and HTTPS ( 443 ). Stratum is also another popular network protocol for miners, by\r\ndefault, over port 4444 .\r\nThe analysis of this intrusion set revealed the following detection rules and behavior prevention events:\r\nSuspicious PowerShell Downloads\r\nService Control Spawned via Script Interpreter\r\nLocal Scheduled Task Creation\r\nProcess Execution from an Unusual Directory\r\nSvchost spawning Cmd\r\nUnusual Parent-Child Relationship\r\nClearing Windows Event Logs\r\nMicrosoft Windows Defender Tampering\r\nPotential Privilege Escalation via Missing DLL\r\nBinary Masquerading via Untrusted Path\r\nPrevention\r\nMalicious Files Prevention :\r\nhttps://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine\r\nPage 9 of 11\n\nGHOSTENGINE file prevention\r\nShellcode Injection Prevention:\r\nGHOSTENGINE shellcode prevention\r\nVulnerable Drivers file creation prevention (Windows.VulnDriver.ArPot and Windows.VulnDriver.IoBitUnlocker )\r\nGHOSTENGINE driver prevention\r\nYARA\r\nElastic Security has created YARA rules to identify this activity.\r\nWindows Trojan GHOSTENGINE\r\nWindows.VulnDriver.ArPot\r\nWindows.VulnDriver.IoBitUnlocker\r\nObservations\r\nAll observables are also available for download in both ECS and STIX format.\r\nThe following observables were discussed in this research.\r\nObservable Type Name\r\n2fe78941d74d35f721556697491a438bf3573094d7ac091b42e4f59ecbd25753\r\nSHA-256\r\nC:\\Windows\\Fonts\\smartsscreen.exe\r\n4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1\r\nSHA-256\r\nC:\\Windows\\System32\\drivers\\aswArPots.sys\r\n2b33df9aff7cb99a782b252e8eb65ca49874a112986a1c49cd9971210597a8ae\r\nSHA-256\r\nC:\\Windows\\System32\\drivers\\IObitUnlockers.sys\r\n3ced0552b9ecf3dfecd14cbcc3a0d246b10595d5048d7f0d4690e26ecccc1150\r\nSHA-256\r\nC:\\Windows\\System32\\oci.dll\r\nhttps://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine\r\nPage 10 of 11\n\nObservable Type Name\r\n3b2724f3350cb5f017db361bd7aae49a8dbc6faa7506de6a4b8992ef3fd9d7ab\r\nSHA-256\r\nC:\\Windows\\System32\\oci.dll\r\n35eb368c14ad25e3b1c58579ebaeae71bdd8ef7f9ccecfc00474aa066b32a03f\r\nSHA-256\r\nC:\\Windows\\Fonts\\taskhostw.exe\r\n786591953336594473d171e269c3617d7449876993b508daa9b96eedc12ea1ca\r\nSHA-256\r\nC:\\Windows\\Fonts\\config.json\r\n11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5\r\nSHA-256\r\nC:\\Windows\\Fonts\\WinRing0x64.sys\r\naac7f8e174ba66d62620bd07613bac1947f996bb96b9627b42910a1db3d3e22b\r\nSHA-256\r\nC:\\ProgramData\\Microsoft\\DeviceSync\\SystemSync\\Tiworker\r\n6f3e913c93887a58e64da5070d96dc34d3265f456034446be89167584a0b347e\r\nSHA-256\r\nbackup.png\r\n7c242a08ee2dfd5da8a4c6bc86231985e2c26c7b9931ad0b3ea4723e49ceb1c1\r\nSHA-256\r\nget.png\r\ncc4384510576131c126db3caca027c5d159d032d33ef90ef30db0daa2a0c4104\r\nSHA-256\r\nkill.png\r\ndownload.yrnvtklot[.]com domain\r\n111.90.158[.]40\r\nipv4-\r\naddr\r\nftp.yrnvtklot[.]com domain\r\n93.95.225[.]137\r\nipv4-\r\naddr\r\nonline.yrnvtklot[.]com domain\r\nReferences\r\nThe following were referenced throughout the above research:\r\nhttps://www.antiy.com/response/HideShoveling.html\r\nSource: https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine\r\nhttps://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.elastic.co/security-labs/invisible-miners-unveiling-ghostengine"
	],
	"report_names": [
		"invisible-miners-unveiling-ghostengine"
	],
	"threat_actors": [],
	"ts_created_at": 1775434189,
	"ts_updated_at": 1775791224,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4aae31ed38dff539d97413b0658f7183e512d38b.pdf",
		"text": "https://archive.orkl.eu/4aae31ed38dff539d97413b0658f7183e512d38b.txt",
		"img": "https://archive.orkl.eu/4aae31ed38dff539d97413b0658f7183e512d38b.jpg"
	}
}