{
	"id": "85b1b554-c904-4bd5-acb2-0c253c235f8e",
	"created_at": "2026-04-06T00:08:47.305486Z",
	"updated_at": "2026-04-10T03:26:53.317344Z",
	"deleted_at": null,
	"sha1_hash": "59577955634b0d077729fd62840cf7887a458a9a",
	"title": "Adylkuzz Cryptocurrency Mining Malware Spreading for Weeks Via EternalBlue/DoublePulsar",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 756822,
	"plain_text": "Adylkuzz Cryptocurrency Mining Malware Spreading for Weeks Via\r\nEternalBlue/DoublePulsar\r\nBy Kafeine\r\nArchived: 2026-04-05 17:42:27 UTC\r\nOverview\r\nOn Friday, May 12, attackers spread a massive ransomware attack worldwide using the EternalBlue exploit to rapidly\r\npropagate the malware over corporate LANs and wireless networks. EternalBlue, originally exposed on April 14 as part of\r\nthe Shadow Brokers dump of NSA hacking tools, leverages a vulnerability (MS17-010) in Microsoft Server Message Block\r\n(SMB) on TCP port 445 to discover vulnerable computers on a network and laterally spread malicious payloads of the\r\nattacker’s choice. This particular attack also appeared to use an NSA backdoor called DoublePulsar to actually install the\r\nransomware known as WannaCry.\r\nOver the subsequent weekend, however, we discovered another very large-scale attack using both EternalBlue and\r\nDoublePulsar to install the cryptocurrency miner Adylkuzz. Initial statistics suggest that this attack may be larger in scale\r\nthan WannaCry: because this attack shuts down SMB networking to prevent further infections with other malware (including\r\nthe WannaCry worm) via that same vulnerability, it may have in fact limited the spread of last week’s WannaCry infection.\r\nSymptoms of this attack include loss of access to shared Windows resources and degradation of PC and server performance.\r\nSeveral large organizations reported network issues this morning that were originally attributed to the WannaCry campaign.\r\nHowever, because of the lack of ransom notices, we now believe that these problems might be associated with Adylkuzz\r\nactivity. However, it should be noted that the Adylkuzz campaign significantly predates the WannaCry attack, beginning at\r\nleast on May 2 and possibly as early as April 24. This attack is ongoing and, while less flashy than WannaCry, is nonetheless\r\nquite large and potentially quite disruptive.\r\nThe Discovery\r\nIn the course of researching the WannaCry campaign, we exposed a lab machine vulnerable to the EternalBlue attack. While\r\nwe expected to see WannaCry, the lab machine was actually infected with an unexpected and less noisy guest: the\r\ncryptocurrency miner Adylkuzz. We repeated the operation several times with the same result: within 20 minutes of\r\nexposing a vulnerable machine to the open web, it was enrolled in an Adylkuzz mining botnet.\r\nhttps://web.archive.org/web/20170609161432/https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar\r\nPage 1 of 8\n\nFigure 1: EternalBlue/DoublePulsar attack from one of several identified hosts, then Adylkuzz being download from another\r\nhost - A hash of a pcap of this capture is available in the IOCs table\r\nThe attack is launched from several virtual private servers which are massively scanning the Internet on TCP port 445 for\r\npotential targets.\r\nUpon successful exploitation via EternalBlue, machines are infected with DoublePulsar. The DoublePulsar backdoor then\r\ndownloads and runs Adylkuzz from another host. Once running, Adylkuzz will first stop any potential instances of itself\r\nalready running and block SMB communication to avoid further infection. It then determines the public IP address of the\r\nvictim and download the mining instructions, cryptominer, and cleanup tools.\r\nIt appears that at any given time there are multiple Adylkuzz command and control (C\u0026C) servers hosting the cryptominer\r\nbinaries and mining instructions. \r\nFigure 2 shows the post-infection traffic generated by Adylkuzz in this attack.\r\nFigure 2: Post-infection traffic associated with the attack\r\nIn this attack, Adylkuzz is being used to mine Monero cryptocurrency. Similar to Bitcoin but with enhanced anonymity\r\ncapabilities, Monero recently saw a surge in activity after it was adopted by the AlphaBay darknet market, described by law\r\nenforcement authorities as “a major underground website known to sell drugs, stolen credit cards and counterfeit items.”\r\nLike other cryptocurrencies, Monero increases market capitalization through the process of mining. This process is\r\ncomputationally intensive but rewards miners with funds in the mined currency, currently 7.58 Moneros or roughly $205 at\r\ncurrent exchange rates.\r\nFigure 3 shows Adylkuzz mining Monero cryptocurrency, a process that can be more easily distributed across a botnet like\r\nthat created here than in the case of Bitcoin, which now generally requires dedicated, high-performance machines.\r\nhttps://web.archive.org/web/20170609161432/https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar\r\nPage 2 of 8\n\nFigure 3: Part of the behavioral analysis from an Adylkuzz-infected VM showing it, among other things, closing SMB door\r\nand launching Monero Mining\r\nOne of several Monero addresses associated with this attack is shown in Figure 4. The hash rate shows the relative speed\r\nwith which the specific associated instance of the botnet is mining Moneros, while the total paid shows the amount paid to\r\nthis particular address for mining activities. In this case, just over $22,000 was paid out before the mining associated with\r\nthis address ceased.\r\nFigure 4: One of several Monero addresses associated with income from Adylkuzz mining\r\nLooking at the mining payments per day associated with a single Adylkuzz address, we can see the increased payment\r\nactivity beginning on April 24 when this attack began. We believe that the sudden drop that occurred on May 11 indicates\r\nhttps://web.archive.org/web/20170609161432/https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar\r\nPage 3 of 8\n\nwhen the actors switched to a new mining user address (Figure 5). By regularly switching addresses, we believe that the\r\nactors are attempting to avoid having too many Moneros paid to a single address.\r\nFigure 5: Daily payment activity associated with a single Adylkuzz mining address\r\nStatistics and payment history for a second payment address are shown in Figure 6. This address has had just over $7,000\r\npaid to date.\r\nFigure 6: A second Monero address associated with income from Adylkuzz mining\r\nA third address shows a higher hash rate and a current payment total of over $14,000 (Figure 7).\r\nhttps://web.archive.org/web/20170609161432/https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar\r\nPage 4 of 8\n\nFigure 7: A third Monero address associated with income from Adylkuzz mining\r\nWe have currently identified over 20 hosts setup to scan and attack, and are aware of more than a dozen active Adylkuzz\r\nC\u0026C servers. We also expect that there are many more Monero mining payment addresses and Adylkuzz C\u0026C servers\r\nassociated with this activity.\r\nConclusion\r\nLike last week’s WannaCry campaign, this attack makes use of leaked NSA hacking tools and leverages a patched\r\nvulnerability in Microsoft Windows networking. The Adylkuzz campaign, in fact predates WannaCry by many days. For\r\norganizations running legacy versions of Windows or who have not implemented the SMB patch that Microsoft released last\r\nmonth, PCs and servers will remain vulnerable to this type of attack. Whether they involve ransomware, cryptocurrency\r\nminers, or any other type of malware, these attacks are potentially quite disruptive and costly. Two major campaigns have\r\nnow employed the attack tools and vulnerability; we expect others will follow and recommend that organizations and\r\nindividuals patch their machines as soon as possible.\r\nAcknowledgments\r\nWe want to thank:\r\nOur friends at Trend Micro for input allowing us to add more IOCs\r\nCloudflare and Choopa for their immediate action upon notification.\r\n@benkow_ for several inputs.\r\nIndicators of Compromise\r\nSelection of Domain/IP Address Date Comment\r\n45.32.52[.]8 2017-05-16 Attacking host\r\n45.76.123[.]172 2017-05-16 Attacking host\r\n104.238.185[.]251 2017-05-16 Attacking host\r\n45.77.57[.]194 2017-05-14 Attacking host\r\nhttps://web.archive.org/web/20170609161432/https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar\r\nPage 5 of 8\n\nSelection of Domain/IP Address Date Comment\r\n45.76.39[.]29 2017-05-15 Attacking host\r\n45.77.57[.]36 2017-05-15 Attacking host\r\n104.238.150[.]145 2017-05-14 Server hosting the payload binary\r\n08.super5566[.]com 2017-05-14 Adylkuzz C\u0026C\r\na1.super5566[.]com 2017-05-02 Adylkuzz C\u0026C\r\naa1.super5566[.]com 2017-05-01 Adylkuzz C\u0026C\r\nlll.super1024[.]com 2017-04-24 Adylkuzz C\u0026C\r\n07.super5566[.]com 2017-04-30 Adylkuzz C\u0026C\r\nam.super1024[.]com 2017-04-25 Adylkuzz C\u0026C\r\n05.microsoftcloudserver[.]com 2017-05-12 Adylkuzz C\u0026C\r\nd.disgogoweb[.]com 2017-04-30 Adylkuzz C\u0026C\r\npanel.minecoins18[.]com 2014-10-17 Adylkuzz C\u0026C in 2014\r\nwa.ssr[.]la 2017-04-28 Adylkuzz C\u0026C\r\n45.77.57[.]190 2017-05-15 Host presenting same signature as attackers\r\n45.77.58[.]10 2017-05-15 Host presenting same signature as attackers\r\n45.77.58[.]40 2017-05-15 Host presenting same signature as attackers\r\n45.77.58[.]70 2017-05-15 Host presenting same signature as attackers\r\n45.77.56[.]87 2017-05-15 Host presenting same signature as attackers\r\n45.77.21[.]159 2017-05-15 Attacking Host\r\n45.77.29[.]51 2017-05-15 Host presenting same signature as attackers\r\n45.77.31[.]219 2017-05-15 Host presenting same signature as attackers\r\n45.77.5[.]176 2017-05-15 Host presenting same signature as attackers\r\n45.77.23[.]225 2017-05-15 Host presenting same signature as attackers\r\n45.77.58[.]147 2017-05-15 Host presenting same signature as attackers\r\n45.77.56[.]114 2017-05-15 Host presenting same signature as attackers\r\n45.77.3[.]179 2017-05-15 Host presenting same signature as attackers\r\n45.77.58[.]134 2017-05-15 Host presenting same signature as attackers\r\n45.77.59[.]27 2017-05-15 Host presenting same signature as attackers\r\nAlso available in MISP JSON format.\r\nhttps://web.archive.org/web/20170609161432/https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar\r\nPage 6 of 8\n\nSelect Dropped Samples\r\nSHA-256 Date Comment\r\n29d6f9f06fa780b7a56cae0aa888961b8bdc559500421f3bb3b97f3dd94797c2\r\n2017-\r\n05-14\r\nPcap of the attack (filtered\r\nand a bit sanitized)\r\n8200755cbedd6f15eecd8207eba534709a01957b172d7a051b9cc4769ddbf233\r\n2017-\r\n05-14\r\nAdylkuzz.B spread via\r\nEB/DP\r\n450cb5593d2431d00455cabfecc4d28d42585789d84c25d25cdc5505189b4f9f\r\n2017-\r\n04-24\r\nAdylkuzz.A (we are not sure\r\nthat instance was spread via\r\nEB/DP)\r\na7000b2618512f1cb24b51f4ae2f34d332b746183dfad6483aba04571ba8b2f9\r\n2017-\r\n05-14\r\ns2bk.1_.exe\r\ne96681456d793368a6fccfa1321c10c593f3527d7cadb1ff462aa0359af61dee\r\n2017-\r\n05-14\r\n445.bat (? seems to cleanup\r\nold variant of the coin miner\r\nand stop windows Update)\r\ne6680bf0d3b32583047e9304d1703c87878c7c82910fbe05efc8519d2ca2df71\r\n2017-\r\n05-14\r\nMsiexev.exe\r\nBitcoin miner process\r\n55622d4a582ceed0d54b12eb40222bca9650cc67b39f74c5f4b78320a036af88\r\n2017-\r\n05-02\r\nBitcoin miner process\r\n6f74f7c01503913553b0a6118b0ea198c5a419be86fca4aaae275663806f68f3\r\n2017-\r\n05-15\r\nAdylkuzz.B spread via\r\nEB/DP\r\nfab31a2d44e38e733e1002286e5df164509afe18149a8a2f527ec6dc5e71cb00\r\n2014-\r\n10-17\r\nAn old version of Adylkuzz\r\nd73c9230811f1075d5697679b6007f5c15a90177991e238c5adc3ed55ce04988\r\n2017-\r\n05-15\r\nAdylkuzz.B spread via\r\nEB/DP\r\nExecuted commands:\r\ntaskkill /f /im hdmanager.exe\r\nC:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding\r\ntaskkill /f /im mmc.exe\r\nsc stop WELM\r\nsc delete WELM\r\nnetsh ipsec static add policy name=netbc\r\nnetsh ipsec static add filterlist name=block\r\nnetsh ipsec static add filteraction name=block action=block\r\nnetsh ipsec static add filter filterlist=block any srcmask=32 srcport=0 dstaddr=me dstport=445 protocol=tcp description=445\r\nnetsh ipsec static add rule name=block policy=netbc filterlist=block filteraction=block\r\nnetsh ipsec static set policy name=netbc assign=y\r\nC:\\Windows\\Fonts\\wuauser.exe --server\r\nC:\\Windows\\Fonts\\msiexev.exe -a cryptonight -o stratum+tcp://xmr.crypto-pool.fr:443 -u\r\n49v1V2suGMS8JyPEU5FTtJRTHQ9YmraW7Mf2btVCTxZuEB8EjjqQz3i8vECu7XCgvUfiW6NtSRewnHF5MNA3LbQTBQV3v\r\nhttps://web.archive.org/web/20170609161432/https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar\r\nPage 7 of 8\n\n-p x -t 1\r\nC:\\Windows\\TEMP\\\\s2bk.1_.exe /stab C:\\Windows\\TEMP\\\\s2bk.2_.log\r\ntaskkill /f /im msiexev.exe\r\nnetsh advfirewall firewall delete rule name=\"Chrome\"\r\nnetsh advfirewall firewall delete rule name=\"Windriver\"\r\nnetsh advfirewall firewall add rule name=\"Chrome\" dir=in program=\"C:\\Program\r\nFiles\\Google\\Chrome\\Application\\chrome.txt\" action=allow\r\nnetsh advfirewall firewall add rule name=\"Windriver\" dir=in program=\"C:\\Program Files\\Hardware Driver\r\nManagement\\windriver.exe\" action=allow\r\nC:\\Windows\\445.bat\r\nC:\\Windows\\system32\\PING.EXE ping 127.0.0.1\r\nnet stop Windows32_Update\r\nattrib +s +a +r +h wuauser.exe\r\nC:\\Windows\\system32\\SecEdit.exe secedit /configure /db C:\\Windows\\netbios.sdb\r\nC:\\Windows\\system32\\net1 stop Windows32_Update\r\nSelect ET signatures\r\n2024217 || ET EXPLOIT Possible ETERNALBLUE MS17-010 Heap Spray\r\n2024218 || ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response\r\n2024216 || ET EXPLOIT Possible DOUBLEPULSAR Beacon Response\r\n2000419 || ET POLICY PE EXE or DLL Windows file download\r\n2826160 || ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2017-04-28 1)\r\n2017398 || ET POLICY Internal Host Retrieving External IP via icanhazip.com - Possible Infection\r\n2022886 || ET POLICY Crypto Coin Miner Login\r\nSource: https://web.archive.org/web/20170609161432/https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreadi\r\nng-for-weeks-via-eternalblue-doublepulsar\r\nhttps://web.archive.org/web/20170609161432/https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://web.archive.org/web/20170609161432/https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar"
	],
	"report_names": [
		"adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar"
	],
	"threat_actors": [
		{
			"id": "d4f7cf97-9c98-409c-8b95-b80d14c576a5",
			"created_at": "2022-10-25T16:07:24.561104Z",
			"updated_at": "2026-04-10T02:00:05.03343Z",
			"deleted_at": null,
			"main_name": "Shadow Brokers",
			"aliases": [],
			"source_name": "ETDA:Shadow Brokers",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "171b85f2-8f6f-46c0-92e0-c591f61ea167",
			"created_at": "2023-01-06T13:46:38.830188Z",
			"updated_at": "2026-04-10T02:00:03.114926Z",
			"deleted_at": null,
			"main_name": "The Shadow Brokers",
			"aliases": [
				"Shadow Brokers",
				"ShadowBrokers",
				"The ShadowBrokers",
				"TSB"
			],
			"source_name": "MISPGALAXY:The Shadow Brokers",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434127,
	"ts_updated_at": 1775791613,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/59577955634b0d077729fd62840cf7887a458a9a.pdf",
		"text": "https://archive.orkl.eu/59577955634b0d077729fd62840cf7887a458a9a.txt",
		"img": "https://archive.orkl.eu/59577955634b0d077729fd62840cf7887a458a9a.jpg"
	}
}