{
	"id": "d3530e2e-e5c0-4e60-aa8d-0f3a3f9d6e47",
	"created_at": "2026-04-06T00:14:33.29732Z",
	"updated_at": "2026-04-10T03:21:57.351763Z",
	"deleted_at": null,
	"sha1_hash": "7c9b96ba9180ff8b97c7d1c8ace398492948ff65",
	"title": "Monero CoinMiner Being Distributed via Webhards",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3277280,
	"plain_text": "Monero CoinMiner Being Distributed via Webhards\r\nBy ATCP\r\nPublished: 2022-07-31 · Archived: 2026-04-05 22:48:17 UTC\r\nWebhards are the main platforms that the attackers targeting Korean users exploit to distribute malware. The ASEC analysis\r\nteam has been monitoring malware types distributed through webhards and uploaded multiple blog posts about them in the\r\npast.\r\nGenerally, attackers distribute malware with illegal programs such as adult games and crack versions of games. Those who\r\nuse webhards as a distribution path typically install RAT type malware such as njRAT, UdpRAT, and DDoS IRC Bot.\r\nThe team has recently discovered the distribution of XMRig, also known as Monero CoinMiner, through webhards and will\r\ndiscuss it in this post. After checking the path where the malware was distributed, the team found that compressed files\r\ndisguised as game installers were uploaded to certain webhards.\r\nhttps://asec.ahnlab.com/en/37526/\r\nPage 1 of 5\n\nThere are many users in the reply section of the above posts who have confirmed the existence of malware inside the files\r\nafter a scan was carried out by their respective anti-malware programs during the installation process.\r\nhttps://asec.ahnlab.com/en/37526/\r\nPage 2 of 5\n\nHowever, the team could not confirm whether the uploaders of these files were the ones who actually created the malware or\r\nnot. This is because the files can be uploaded to other webhards after they are initially uploaded on certain torrents or\r\nwebhards due to the characteristics of such game installers.\r\nThe following files are shown after decompressing the downloaded file. Therefore, users will run the “raksasi.exe” program\r\nthat is disguised as the game icon. However, the file is actually a malware strain that installs XMRig CoinMiner. The actual\r\ngame program is inside the Resources folder within raksasi_Data.\r\nThis malware has a very simple structure. First, it downloads the Monero mining malware (xmrig.exe), XMRig config file\r\n(config.json), and XMRig launcher malware (MsDtsServer.exe) in the path “c:\\Xcrcure\\”. It then creates a shortcut called\r\n“NewStartUp.lnk” in the startup folder that executes the XMRig launcher. This causes Monero to be launched after the next\r\nreboot. Finally, it executes the actual game inside the Resource folder to make it seem like the user launched the game\r\nnormally.\r\nhttps://asec.ahnlab.com/en/37526/\r\nPage 3 of 5\n\nAfter XMRig is installed through this process, it reads the config.json file in the same path whenever the computer is\r\nrebooted to perform the mining process. The following figure shows the addresses of the mining pool and of the attacker’s\r\nwallet that exist inside the json file.\r\n– Mining pool address: gulf.moneroocean[.]stream:10128\r\n– Monero wallet address:\r\n438wFRXdmiEQfgfhK4XhSMSNaFNd8EdJzPhj5PcXtomEaKcNJuBoZaC32TSdGpnFUxRANRiQdsWxGdvM7bDgLJHZR9FKF\r\nAs shown in the examples above, the malware is being distributed actively via file-sharing websites such as Korean\r\nwebhards. As such, caution is advised when running executables downloaded from a file-sharing website. It is recommended\r\nto download products such as utility programs and games from the official websites.\r\nAhnLab’s anti-malware software, V3, detects and blocks the malware above using the aliases below.\r\n[File Detection]\r\n– Trojan/Win.FY.C5155016 (2022.06.02.02)\r\n– Trojan/Win64.XMR-Miner.R226842 (2019.12.11.01)\r\n– CoinMiner/Text.Config (2022.08.01.02)\r\n– Trojan/Win.Launcher.C5217400 (2022.08.01.02)\r\nMD5\r\n2f4650b01f8943f577abad9869429d1a\r\n35370cd5222ade95f77c8db5e39bcd64\r\nc717c47941c150f867ce6a62ed0d2d35\r\nd5d51ebb4ab6dc97d7e5557476526547\r\nf3227fc9ecc270d49e4b24eedfbdfdf2\r\nhttps://asec.ahnlab.com/en/37526/\r\nPage 4 of 5\n\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttps[:]//scmm[.]netlify[.]app/MsDtsServer[.]exe\r\nhttps[:]//scmm[.]netlify[.]app/config[.]json\r\nhttps[:]//scmm[.]netlify[.]app/xmrig[.]exe\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner\r\nbelow.\r\nSource: https://asec.ahnlab.com/en/37526/\r\nhttps://asec.ahnlab.com/en/37526/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://asec.ahnlab.com/en/37526/"
	],
	"report_names": [
		"37526"
	],
	"threat_actors": [],
	"ts_created_at": 1775434473,
	"ts_updated_at": 1775791317,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7c9b96ba9180ff8b97c7d1c8ace398492948ff65.pdf",
		"text": "https://archive.orkl.eu/7c9b96ba9180ff8b97c7d1c8ace398492948ff65.txt",
		"img": "https://archive.orkl.eu/7c9b96ba9180ff8b97c7d1c8ace398492948ff65.jpg"
	}
}