{
	"id": "c66f3147-0a11-4b20-ab26-0ad80c34660b",
	"created_at": "2026-04-06T00:10:34.490444Z",
	"updated_at": "2026-04-10T03:21:51.155487Z",
	"deleted_at": null,
	"sha1_hash": "8b49e45f120ad974f7218db595547659af41a3a0",
	"title": "Smominru Monero mining botnet making millions for operators | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1132520,
	"plain_text": "Smominru Monero mining botnet making millions for operators |\r\nProofpoint US\r\nBy January 31, 2018 Kafeine\r\nPublished: 2018-01-31 · Archived: 2026-04-05 20:47:18 UTC\r\nOverview\r\nEven with recent volatility in the price of most cryptocurrencies, especially Bitcoin, interest among mainstream users and\r\nthe media remains high. At the same time, Bitcoin alternatives like Monero and Ethereum continue their overall upward\r\ntrend in value (Figure 1), putting them squarely in the crosshairs of threat actors looking for quick profits and anonymous\r\ntransactions. Because obtaining these cryptocurrencies through legitimate mining mechanisms is quite resource-intensive,\r\ncybercriminals are stealing them, demanding ransomware payments in them, and harnessing other computers to mine them\r\nfor free. Recently, Proofpoint researchers have been tracking the massive Smominru botnet, the combined computing power\r\nof which has earned millions of dollars for its operators.\r\nFigure 1: Monero cryptocurrency values (top) and relative values of major cryptocurrencies, including Bitcoin, over the\r\npast year (bottom)\r\nAnalysis\r\nSince the end of May 2017, we have been monitoring a Monero miner that spreads using the EternalBlue Exploit (CVE-2017-0144). The miner itself, known as Smominru (aka Ismo [6]) has been well-documented  [1] [2] [3] [4] [5] [10], so we\r\nwill not discuss its post-infection behavior. However, the miner’s use of Windows Management Infrastructure is unusual\r\namong coin mining malware.\r\nThe speed at which mining operations conduct mathematical operations to unlock new units of cryptocurrency is referred to\r\nas “hash power”. Based on the hash power associated with the Monero payment address for this operation, it appeared that\r\nthis botnet was likely twice the size of Adylkuzz [9]. The operators had already mined approximately 8,900 Monero (valued\r\nthis week between $2.8M and $3.6M). Each day, the botnet mined roughly 24 Monero, worth an average of $8,500 this\r\nweek (Figure 2).\r\nhttps://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators\r\nPage 1 of 10\n\nFigure 2: Smominru Stats and Payments on the MineXMR mining pool\r\nWe could also see that the average hash rate to date this year was quite high (Figure 3):\r\nFigure 3: Smominru hash rate history on MineXMR\r\nAt least 25 hosts were conducting attacks via EternalBlue (CVE-2017-0144 SMB) to infect new nodes and increase the size\r\nof the botnet. The hosts all appear to sit behind the network autonomous system AS63199. Other researchers also reported\r\nattacks via SQL Server [3], and we believe the actors are also likely using EsteemAudit (CVE-2017-0176 RDP), like most\r\nother EternalBlue attackers. The botnet’s command and control (C\u0026C) infrastructure is hosted behind SharkTech, who we\r\nnotified of the abuse but did not receive a reply.\r\nWith the help of abuse.ch [7] and the ShadowServer Foundation [8], we conducted a sinkholing operation to determine the\r\nbotnet size and location of the individual nodes. The botnet includes more than 526,000 infected Windows hosts, most of\r\nwhich we believe are servers. These nodes are distributed worldwide but we observed the highest numbers in Russia, India,\r\nand Taiwan (Figures 4 and 5).\r\nhttps://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators\r\nPage 2 of 10\n\nFigure 4: Geographic distribution of Smominru nodes\r\nFigure 5: Concentration of Smominru nodes worldwide\r\nWe contacted MineXMR to request that the current Monero address associated with Smominru be banned. The mining pool\r\nreacted several days after the beginning of the operation, after which we observed the botnet operators registering new\r\ndomains and mining to a new address on the same pool. It appears that the group may have lost control over one third of the\r\nbotnet in the process (Figure 6).\r\nhttps://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators\r\nPage 3 of 10\n\nFigure 6: Smominru adapting to the sinkholing and returning to two thirds of its hash rate with a new Monero mining\r\naddress\r\nFigure 7: Smominru statistics and payments associated with their new mining address\r\nConclusion\r\nCryptocurrencies have been used by cybercriminals for years in underground markets, but in the last year, we have observed\r\nstandalone coin miners and coin mining modules in existing malware proliferate rapidly. As Bitcoin has become\r\nhttps://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators\r\nPage 4 of 10\n\nprohibitively resource-intensive to mine outside of dedicated mining farms, interest in Monero has increased dramatically.\r\nWhile Monero can no longer be mined effectively on desktop computers, a distributed botnet like that described here can\r\nprove quite lucrative for its operators.\r\nBecause most of the nodes in this botnet appear to be Windows servers, the performance impact on potentially critical\r\nbusiness infrastructure may be high, as can the cost of increased energy usage by servers running much closer to capacity.\r\nThe operators of this botnet are persistent, use all available exploits to expand their botnet, and have found multiple ways to\r\nrecover after sinkhole operations. Given the significant profits available to the botnet operators and the resilience of the\r\nbotnet and its infrastructure, we expect these activities to continue, along with their potential impacts on infected nodes. We\r\nalso expect botnets like that described here to become more common and to continue growing in size.\r\nAcknowledgement\r\nWe would like to thank abuse.ch and ShadowServer for their help.\r\nReferences\r\n[1] https://securelist.com/blog/research/77621/newish-mirai-spreader-poses-new-risks/\r\n[2] http://blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-miner-uses-wmi-eternalblue-spread-filelessly/\r\n[3] https://www.guardicore.com/2017/12/beware-the-hex-men/ (Taylor)\r\n[4] https://blogs.yahoo.co.jp/fireflyframer/34858380.html\r\n[5] https://www.77169.com/html/158742.html\r\n[6] https://www.reddit.com/r/antivirus/comments/6maxrt/tenacious_malware_called_ismolsmo/\r\n[7] https://abuse.ch/\r\n[8] https://www.shadowserver.org/\r\n[9] https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar\r\n[10] http://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-botnets/\r\nIndicators of Compromise (IOCs)\r\nIOC IOC Ty\r\ndown.oo000oo[.club:8888 | 209.58.186[.]145 domain:\r\nwww.cyg2016[.xyz:8888 | 103.95.29[.]8 domain:\r\ndown.mys2016[.info:8888 | 103.95.29[.]8 domain:\r\nwmi.mykings.top[.info:8888 | 45.58.140[.]194 domain:\r\nwmi.oo000oo[.club:8888 | 45.58.140[.]194 domain:\r\nhttps://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators\r\nPage 5 of 10\n\nxmr.5b6b7b[.ru:8888 | 45.58.140[.]194 domain:\r\n64.myxmr[.pw:8888 | 170.178.171[.]162 domain:\r\nwmi.my0709[.xyz:8888 | 103.95.30[.]26 domain:\r\nftp.ruisgood[.ru:21 | 68.64.166[.]82 domain:\r\nftp.oo000oo[.me:21 | 68.64.166[.]82 domain:\r\nftp.ftp0118[.info:21 | 68.64.166[.]82 domain:\r\njs.mys2016[.info:280 | 27.255.79[.]151 domain:\r\ndown.my0709[.xyz | 103.95.30[.]26 domain:\r\ndown.my0115[.ru:8888|103.95.30[.]26 domain:\r\nwmi.my0115[.ru:8888|103.95.30[.]26 domain:\r\njs.my0115[.ru:8888] domain:\r\nXmr.xmr5b[.ru:8888] | 45.58.140[.]194 domain:\r\nhttps://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators\r\nPage 6 of 10\n\n64.mymyxmra[.ru:8888] | 170.178.171[.]162 domain:\r\nDown.down0116[.info] | 198.148.80[.]194 domain|\r\n67.229.144[.218:8888]/ups.rar URI\r\n198.148.80[.194:8888]/0114.rar URI\r\n103.95.30[.26:8888]/close2.bat URI\r\nwww.pubyun[.com]/dyndns/getip URI\r\nxmr.5b6b7b[.ru:8888]/xmrok.txt URI\r\n64.myxmr[.pw:8888]/cudart32_65.dll URI\r\n64.myxmr[.pw:8888]/md5.txt URI\r\ndown.my0709[.xyz:8888]/ok.txt URI\r\nwmi.my0709[.xyz:8888]/test.html URI\r\nda3b2e4da23aae505bf991cb68833d01d0c5b75645d246dfa9b6e403be1798c8 sha256\r\n8ceb370e5f32dd732809c827f8eda38cc9b746d40adea3dca33b8c27ee38eb6f sha256\r\n5e15c97546a19759a8397e51e98a2d8168e6e27aff4dc518220459ed3184e4e2 sha256\r\n2e3f534bd6b7d1cf18dc727820124faed92fb28f1d4626c9658587b9b3c09509 sha256\r\nb7f8b5cb8fc7bd5c14105fde118f5ac7a808e590e52f16c70128b4bd28aa4b5a sha256\r\n32e0712ff24e5f9ab8ee682a53514c501486f0836ef24125503335d86bd10a4e sha256\r\nhttps://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators\r\nPage 7 of 10\n\n3b1824b41f3853376e21153d9125781dbb57b820d8a9a6cc037f82ea87f50973 sha256\r\nf1c36aebdcd92a04fd689d31944e5388e7e9b9421063ec4c98804ac7a04e6b0d sha256\r\n45bbP2muiJHD8Fd5tZyPAfC2RsajyEcsRVVMZ7Tm5qJjdTMprexz6yQ5DVQ1BbmjkMYm9nMid2QSbiGLvvfau7At5V18FzQ\r\nMonero\r\nAddress\r\n47Tscy1QuJn1fxHiBRjWFtgHmvqkW71YZCQL33LeunfH4rsGEHx5UGTPdfXNJtMMATMz8bmaykGVuDFGWP3KyufBSdzxBb2\r\nMonero\r\nAddress\r\n43Lm9q14s7GhMLpUsiXY3MH6G67Sn81B5DqmN46u8WnBXNvJmC6FwH3ZMwAmkEB1nHSrujgthFPQeQCFPCwwE7m7TpspYBd\r\nMonero\r\nAddress\r\n148.153.34[.]114 IP\r\n118.193.81[.]70 IP\r\n118.193.31[.]14 IP\r\n118.193.28[.]58 IP\r\n164.52.12[.]110 IP\r\n148.153.24[.]98 IP\r\n164.52.13[.]58 IP\r\nhttps://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators\r\nPage 8 of 10\n\n148.153.38[.]78 IP\r\n118.193.22[.]58 IP\r\n103.241.229[.]122 IP\r\n148.153.39[.]186 IP\r\n148.153.14[.]246 IP\r\n118.193.31[.]110 IP\r\n118.193.27[.]198 IP\r\n164.52.25[.]106 IP\r\n164.52.1[.]46 IP\r\n148.153.36[.]34 IP\r\n118.193.21[.]186 IP\r\n164.52.12[.]162 IP\r\n148.153.24[.]106 IP\r\n148.153.44[.]46 IP\r\n164.52.11[.]222 IP\r\n118.193.29[.]6 IP\r\nhttps://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators\r\nPage 9 of 10\n\n148.153.8[.]86 IP\r\n164.52.1[.]14 IP\r\nET and ETPRO Suricata/Snort Signatures\r\n2829231 || ETPRO TROJAN Win32/Smominru Coinminer Checkin\r\n2804781 || ETPRO POLICY DynDNS IP Check getip\r\n2018959 || ET POLICY PE EXE or DLL Windows file download HTTP\r\n2015744 || ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)\r\n2022886 || ET POLICY Crypto Coin Miner Login\r\n2024789 || ET POLICY DNS request for Monero mining pool\r\n2829329 || ETPRO TROJAN CoinMiner Known Malicious Stratum Authline (2018-01-17 1)\r\nSource: https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators\r\nhttps://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators"
	],
	"report_names": [
		"smominru-monero-mining-botnet-making-millions-operators"
	],
	"threat_actors": [],
	"ts_created_at": 1775434234,
	"ts_updated_at": 1775791311,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8b49e45f120ad974f7218db595547659af41a3a0.pdf",
		"text": "https://archive.orkl.eu/8b49e45f120ad974f7218db595547659af41a3a0.txt",
		"img": "https://archive.orkl.eu/8b49e45f120ad974f7218db595547659af41a3a0.jpg"
	}
}