{
	"id": "b089cf81-1b89-40cb-a0b6-1da652a8c58b",
	"created_at": "2026-04-06T00:22:10.385149Z",
	"updated_at": "2026-04-10T13:11:44.281453Z",
	"deleted_at": null,
	"sha1_hash": "792eb038dbd36f553b1cb062a168a57c01f69ee7",
	"title": "Blue Mockingbird activity mines Monero cryptocurrency",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 138986,
	"plain_text": "Blue Mockingbird activity mines Monero cryptocurrency\r\nBy susannah.matt@redcanary.com\r\nArchived: 2026-04-05 19:47:32 UTC\r\nIntroducing Blue Mockingbird\r\nIntroducing Blue Mockingbird\r\nRed Canary Intel is monitoring a potentially novel threat that is deploying Monero cryptocurrency-mining payloads on\r\nWindows machines at multiple organizations.\r\nOriginally published May 7, 2020. Last modified May 7, 2025.\r\nBlue Mockingbird is the name we’ve given to a cluster of similar activity we’ve observed involving Monero\r\ncryptocurrency-mining payloads in dynamic-link library (DLL) form on Windows systems. They achieve initial access by\r\nexploiting public-facing web applications, specifically those that use Telerik UI for ASP.NET, followed by execution and\r\npersistence using multiple techniques (check out my colleague Jesse Brown’s new blog for details on Blue Mockingbird’s\r\nCOR_PROFILER persistence mechanism). During at least one incident, the adversary used proxying software and\r\nexperimented with different kinds of reverse shell payloads to connect to external systems. The earliest Blue Mockingbird\r\ntools we’ve observed were created in December 2019.\r\nGaining entry\r\nIn at least two incident response (IR) engagements, Blue Mockingbird has exploited public-facing web applications (T1190:\r\nExploit Public-Facing Application) that implemented Telerik UI for ASP.NET AJAX. This suite of user interface\r\ncomponents accelerates the web development process, but some versions are susceptible to a deserialization vulnerability,\r\nCVE-2019-18935. The exploitation of this CVE is not unique to Blue Mockingbird, but it has been a common point of entry.\r\nIn exploiting this vulnerability, two DLLs are uploaded to a web application running on a Windows IIS web server. In\r\ntelemetry, investigators will notice w3wp.exe writing the DLLs to disk and then immediately loading them into memory\r\nafterward. In some cases, this will cause w3wp.exe to temporarily freeze and fail to successfully serve HTTP responses.\r\nFor a diagnostic to determine whether you are potentially affected by the Telerik CVE, you can search the IIS access logs for\r\nthe string POST Telerik.Web.UI.WebResource.axd . In victim environments, our IR partners found entries similar to these:\r\n2020-04-29 02:01:24 10.0.0.1 POST /Telerik.Web.UI.WebResource.axd type=rau 80 - \u003cexternal IP address\u003e Mozilla/5.0+(Window\r\n2020-04-29 02:01:27 10.0.0.1 POST /Telerik.Web.UI.WebResource.axd type=rau 80 - \u003cexternal IP address\u003e Mozilla/5.0+(Windows\r\nIn the entries, the string 200 refers to HTTP response code 200 where the POST request was successful, and the string\r\n500 refers to HTTP code 500 where the POST request was not processed successfully by the web server. These code 500\r\nhttps://redcanary.com/blog/blue-mockingbird-cryptominer/\r\nPage 1 of 8\n\nentries happened when the w3wp.exe process loaded the uploaded DLLs into memory and temporarily froze.\r\nSearching the IIS access logs for entries like these is a good idea even if you don’t explicitly know whether you use Telerik\r\nUI, as some web applications require the suite as a dependency behind the scenes.\r\nIf you have endpoint detection and response (EDR) or similar tools, you’ll notice cmd.exe or other suspicious processes\r\nspawning from w3wp.exe .\r\nExecution and evasion\r\nThe primary payload distributed by Blue Mockingbird is a version of XMRIG packaged as a DLL. XMRIG is a popular,\r\nopen-source Monero-mining tool that adversaries can easily compile into custom tooling. During the incidents, we noted\r\nthree distinct uses.\r\nThe first use was execution with rundll32.exe explicitly calling the DLL export fackaaxv (T1218.011: Rundll32). This\r\nexport seems unique to this actor’s payloads and doesn’t seem to happen other places in the wild:\r\nrundll32.exe dialogex.dll,fackaaxv\r\nThe next use was execution using regsvr32.exe using the /s command-line option (T1218.010: Regsvr32). Supplying\r\nthe /s switch executes the DllRegisterServer export exposed by the DLL payload. This export ultimately passed control\r\nof execution into the function that fackaax exported:\r\nregsvr32.exe /s dialogex.dll\r\nThe final execution path was with the payload configured as a Windows Service DLL (T1569.002: Service Execution). Once\r\nconfigured, execution of the service invoked the export ServiceMain , which again passed control to fackaaxv .\r\nCome for the exploit, stay for the mining\r\nBlue Mockingbird leveraged multiple techniques for persistence during incidents. The most novel technique was the use of a\r\nCOR_PROFILER COM hijack to execute a malicious DLL and restore items removed by defenders (T1559.001: Component\r\nObject Model). To use COR_PROFILER , they used wmic.exe and Windows Registry modifications to set environment\r\nvariables and specify a DLL payload.\r\nwmic ENVIRONMENT where \"name='COR_PROFILER'\" delete\r\nwmic ENVIRONMENT create name=\"COR_ENABLE_PROFILING\",username=\"\u003csystem\u003e\",VariableValue=\"1\"\r\nwmic ENVIRONMENT create name=\"COR_PROFILER\",username=\"\u003csystem\u003e\",VariableValue=\"\u003carbitrary CLSID\u003e\"\r\nREG.EXE ADD HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\\u003carbitrary CLSID\u003e\\InProcServer32 /V ThreadingModel /T REG_SZ /D Apar\r\nREG.EXE ADD HKEY_LOCAL_MACHINE\\Software\\Classes\\CLSID\\\u003carbitrary CLSID\u003e\\InProcServer32 /VE /T REG_SZ /D \"c:\\windows\\System\r\nThe payload DLL specified as a COR_PROFILER was simple and gathered few antivirus detections. It executed the following\r\ncommand:\r\ncmd.exe /c sc config wercplsupport start= auto \u0026\u0026 sc start wercplsupport \u0026\u0026 copy c:\\windows\\System32\\dialogex.dll c:\\wind\r\nhttps://redcanary.com/blog/blue-mockingbird-cryptominer/\r\nPage 2 of 8\n\nSince COR_PROFILER was configured, every process that loaded the Microsoft .NET Common Language Runtime would\r\nexecute the command above, re-establishing persistence. The command configured the Windows Problem Reports and\r\nSolutions Control Panel Support service to execute automatically at boot (T1543.003: Windows Service). In a separate\r\ncommand, the actor modified the existing wercplsupport service to use the miner DLL instead of the legitimate one:\r\nreg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\wercplsupport\\Parameters\" /f /v ServiceDll /t REG_EXPAND_SZ\r\nNote that the actor used the DLL name wercplsupporte.dll as an attempt to masquerade as the legitimate DLL name,\r\nwhich is wercplsupport.dll (T1036.005: Match Legitimate Name or Location). In addition, more masquerading was used\r\nto make malicious Scheduled Tasks blend in with legitimate ones (T1053.005: Scheduled Task).\r\nIn some cases, the actor even created a new service to perform the same actions as the COR_PROFILER payload:\r\nsc create 8995 binPath= \"cmd /c sc config wercplsupport start= auto \u0026 sc start wercplsupport \u0026 copy c:\\windows\\System32\\8\r\nEscalating privileges and accessing credentials\r\nIt’s worth noting that Blue Mockingbird’s initial access does not provide the privileges needed to establish the many\r\npersistence mechanisms used. In one engagement we observed, the adversary using a JuicyPotato exploit to escalate\r\nprivileges from an IIS Application Pool Identity virtual account to the NT Authority\\SYSTEM account. JuicyPotato allows\r\nan attacker to abuse the SeImpersonate token privilege and Windows DCOM to move from an unprivileged account to the\r\nhighest level of privilege on a system (T1068: Exploitation for Privilege Escalation). During this engagement, the attacker\r\nabused a DCOM class and leveraged the IIS Application Pool Identity’s SeImpersonate privilege to perform the escalation:\r\nc:\\programdata\\let.exe -t t -p c:\\programdata\\rn.bat -l 1234 -c {8BC3F05E-D86B-11D0-A075-00C04FB68820}\r\nIn another engagement, we observed the adversary using Mimikatz (the official signed version) to access credentials for\r\nlogon (T1003.001: LSASS Memory).\r\nFree to move around the network\r\nAs with other adversaries that mine cryptocurrency opportunistically, Blue Mockingbird likes to move laterally and\r\ndistribute mining payloads across an enterprise. We observed Blue Mockingbird move laterally using a combination of the\r\nRemote Desktop Protocol to access privileged systems and Windows Explorer to then distribute payloads to remote systems\r\n(T1021.001 Remote Desktop Protocol, T1021.002 SMB/Windows Admin Shares). In some cases, Scheduled Tasks were\r\ncreated remotely with schtasks.exe /S to ensure execution.\r\nschtasks /create /tn \"setup service Management\" /tr \"c:\\windows\\temp\\rn.bat\" /sc ONCE /st 00:00 /F /RU System /S remote_h\r\nA look at command and control\r\nA novel aspect of this adversary is that their toolkit does not appear to be fully defined. In at least one engagement, we\r\nobserved Blue Mockingbird seemingly experimenting with different tools to create SOCKS proxies (T1090: Proxy) for\r\npivoting. These tools included a fast reverse proxy (frp), Secure Socket Funneling (SSF), and Venom. In one instance, the\r\nadversary also tinkered with PowerShell reverse TCP shells and a reverse shell in DLL form (T1059.001: PowerShell).\r\nTake action\r\nWe’ve scratched the surface on the XMRIG DLL payload, but we can dive deeper to understand more details (T1496:\r\nResource Hijacking). First, the export fackaaxv has been consistently present in the DLLs. Next, each DLL also contains a\r\nhttps://redcanary.com/blog/blue-mockingbird-cryptominer/\r\nPage 3 of 8\n\nPE binary section _RANDOMX . This section appears unique to cryptocurrency-mining payloads because it houses the\r\nRandomX proof of work algorithm that XMRIG may use. The network connections made for mining usually involve a\r\nnanopool[.]org domain.\r\nWe made the assessment that the payload was actually XMRIG based on several pieces of evidence. First, there were\r\nmultiple references to “xmrig”, including version numbers, in the binary strings. These were accompanied by cleartext\r\nreferences to command-line options common to XMRIG:\r\ncoin\r\ndonate-level\r\nmax-cpu-usage\r\ncpu-priority\r\nlog-file\r\nThe final piece of evidence came from a text log written to disk by some versions of the miner DLL. In the text logs,\r\nidentifying information for XMRIG was output alongside hardware details for the victim system.\r\n* ABOUT XMRig/5.3.0 MSVC/2015\r\n* LIBS libuv/1.31.0 OpenSSL/1.1.1c hwloc/2.1.0\r\n* HUGE PAGES unavailable\r\n* 1GB PAGES unavailable\r\n* CPU Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz (1) x64 AES\r\n L2:0.3 MB L3:8.0 MB 1C/1T NUMA:1\r\n* MEMORY 1.3/4.0 GB (33%)\r\nhttps://redcanary.com/blog/blue-mockingbird-cryptominer/\r\nPage 4 of 8\n\n* DONATE 0%\r\n* POOL #1 xmr-au1.nanopool.org:14433 coin monero\r\n* COMMANDS 'h' hashrate, 'p' pause, 'r' resume\r\n* OPENCL disabled\r\n* CUDA disabled\r\n[2020-04-16 08:30:26.753] [xmr-au1.nanopool.org:14433] DNS error: \"unknown node or service\"\r\nEach payload comes compiled with a standard list of commonly used Monero-mining domains alongside a Monero wallet\r\naddress. So far, we’ve identified two wallet addresses used by Blue Mockingbird that are in active circulation. Due to the\r\nprivate nature of Monero, we cannot see the balance of these wallets to estimate their success. We’ve seen mining payloads\r\ncompiled as early as December 2019 and as recently as late April 2020. In each compilation, one of the two wallets has been\r\nembedded into the binary. The wallet addresses could be extracted from the binaries easily in earlier versions using a simple\r\nstrings command. In newer versions, the string is obfuscated.\r\nEven with string obfuscation in the binary, you can observe the wallet addresses in network traffic. During execution of the\r\nminer DLLs, unique information is passed in cleartext across TCP streams:\r\nWe recommend the following analytics:\r\nProcess is cmd.exe with command line including sc AND config AND wercplsupporte.dll\r\nAny process where command line includes -t AND -c AND -l with network connections from 127.0.0.1\r\nand to 127.0.0.1 on port tcp135 (JuicyPotato)\r\nProcess is schtasks.exe with command line including /create AND sc start wercplsupport\r\nProcess is rundll32.exe with command line including fackaaxv\r\nProcess is regsvr32.exe with command line including /s and having an external network connection\r\nProcess is wmic.exe with command line including create AND COR_PROFILER\r\nProcess is cmd.exe and parent process is services.exe\r\nFor mitigations, focus on patching web servers, web applications, and dependencies of the applications. Most of the\r\ntechniques used by Blue Mockingbird will bypass whitelisting technologies, so the best route will be to inhibit initial access.\r\nConsider establishing a baseline of Windows Scheduled Tasks in your environment to know what is normal across your\r\nenterprise.\r\nLet’s collaborate!\r\nIf you’ve been tracking similar activity, we’d love to hear from you and collaborate. Contact blog@redcanary.com with any\r\nobservations or questions.\r\nIndicators of compromise for XMRIG miner DLLs\r\nsha256\r\ncompile\r\ntime\r\nimphash\r\nhttps://redcanary.com/blog/blue-mockingbird-cryptominer/\r\nPage 5 of 8\n\nsha256\r\ncompile\r\ntime\r\nimphash\r\nsha256:\r\nd388c309a540d4619169a07a4b64707f4c44953511875b57ad7cfa3e097115af\r\ncompile\r\ntime:\r\n12/19/2019\r\n17:49:20\r\nimphash:\r\na9d40d5a22948019ae9c5f1b464a1f\r\nsha256:\r\n14e3c16ca940244bea9b6080fa02384ebb4818572cef7092f90d72ae210b330d\r\ncompile\r\ntime:\r\n1/4/2020\r\n12:00:23\r\nimphash:\r\naed97d3d2b87ab0b55dab3a3eebe45\r\nsha256:\r\n5377c69c05817a0e18f7b0ebbeed420f9ab8d1e81b439f439b42917fbe772dfb\r\ncompile\r\ntime:\r\n2/6/2020\r\n10:24:29\r\nimphash:\r\n1614f0ce7b6c11bf8bd8a76885c8e2\r\nsha256:\r\nc957d007824ee8173c67122a1843c979c818614eeed7db03dea3ba7fede43eba\r\ncompile\r\ntime:\r\n2/6/2020\r\n10:24:29\r\nimphash:\r\n1614f0ce7b6c11bf8bd8a76885c8e2\r\nsha256:\r\n5d7116f04e10e968de64c4201fc7374fa84b364e90f8e4eba0fbc41afeaf468c\r\ncompile\r\ntime:\r\n2/19/2020\r\n13:52:10\r\nimphash:\r\naed97d3d2b87ab0b55dab3a3eebe45\r\nsha256:\r\n909495884627e2e74d07d729b5e046f3ae01cabd9f0a5a99c74d46046a677f7c\r\ncompile\r\ntime:\r\n2/22/2020\r\n14:38:33\r\nimphash:\r\naed97d3d2b87ab0b55dab3a3eebe45\r\nsha256:\r\nab698a35dc5263f0ca460f09dcbc9f8a4aeb7643365a1e7fa122581ef72c34b6\r\ncompile\r\ntime:\r\n3/8/2020\r\n16:57:32\r\nimphash:\r\n1614f0ce7b6c11bf8bd8a76885c8e2\r\nsha256:\r\n60504228b3fc524287bf2a260db933a408639b2f1a29af7538c61b00c4a44c86\r\ncompile\r\ntime:\r\n3/24/2020\r\n16:15:16\r\nimphash:\r\naed97d3d2b87ab0b55dab3a3eebe45\r\nhttps://redcanary.com/blog/blue-mockingbird-cryptominer/\r\nPage 6 of 8\n\nsha256\r\ncompile\r\ntime\r\nimphash\r\nsha256:\r\n1d30d3cafdcc43b2f9a593983ad096c2c3941025fb4e91257e2dcf0919ed24ba\r\ncompile\r\ntime:\r\n3/24/2020\r\n16:15:44\r\nimphash:\r\n9ccdf92e630d907101a249f152451d\r\nsha256:\r\n968b324be2b89f1a8ee4743d946723c1ffdca16ccfbbbbb68e5b9f60e0bff4c9\r\ncompile\r\ntime:\r\n4/9/2020\r\n16:05:45\r\nimphash:\r\naed97d3d2b87ab0b55dab3a3eebe45\r\nsha256:\r\n018a02fd0dbc63e54656b8915d71cd8a2ce4409608ae4dff6ec196ffa8743ba1\r\ncompile\r\ntime:\r\n4/14/2020\r\n19:00:06\r\nimphash:\r\naed97d3d2b87ab0b55dab3a3eebe45\r\nsha256:\r\nb31f7152a547fa41c31f9c96177b2cd7131a93f7c328bf6da360dc1586ba18dc\r\ncompile\r\ntime:\r\n2020-04-\r\n26\r\n14:58:24\r\nimphash:\r\naed97d3d2b87ab0b55dab3a3eebe45\r\nIndicators of compromise for COR_PROFILER DLLs\r\nsha256\r\ncompile\r\ntime\r\nimphash\r\nsha256:\r\n9a432ea16e74b36c55ec5faa790937fe752ff2561cef83e44856fd1e72398309\r\ncompile\r\ntime:\r\n2020-\r\n02-16\r\n9:24:30\r\nimphash:\r\n8432f0b0e6fbfe4ac5d53400aa09d6e5\r\nsha256:\r\nde6c061aafc5d86e692bec45f69b2ea18639abd540b59c2c281717a054a48dd5\r\ncompile\r\ntime:\r\n2020-\r\n02-22\r\n14:57:17\r\nimphash:\r\n8432f0b0e6fbfe4ac5d53400aa09d6e5\r\nRelated Articles\r\nSubscribe to our blog\r\nhttps://redcanary.com/blog/blue-mockingbird-cryptominer/\r\nPage 7 of 8\n\nYou'll receive a weekly email with our new blog posts.\r\nSource: https://redcanary.com/blog/blue-mockingbird-cryptominer/\r\nhttps://redcanary.com/blog/blue-mockingbird-cryptominer/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://redcanary.com/blog/blue-mockingbird-cryptominer/"
	],
	"report_names": [
		"blue-mockingbird-cryptominer"
	],
	"threat_actors": [
		{
			"id": "e568e9d7-ae94-4ce5-9039-4fd17c731c1d",
			"created_at": "2022-10-25T15:50:23.491763Z",
			"updated_at": "2026-04-10T02:00:05.342897Z",
			"deleted_at": null,
			"main_name": "Blue Mockingbird",
			"aliases": [
				"Blue Mockingbird"
			],
			"source_name": "MITRE:Blue Mockingbird",
			"tools": [
				"FRP",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434930,
	"ts_updated_at": 1775826704,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/792eb038dbd36f553b1cb062a168a57c01f69ee7.pdf",
		"text": "https://archive.orkl.eu/792eb038dbd36f553b1cb062a168a57c01f69ee7.txt",
		"img": "https://archive.orkl.eu/792eb038dbd36f553b1cb062a168a57c01f69ee7.jpg"
	}
}