{
	"id": "12ea46ff-e415-46b5-a285-8176c08f75a4",
	"created_at": "2026-04-06T00:15:06.30841Z",
	"updated_at": "2026-04-10T03:21:02.402162Z",
	"deleted_at": null,
	"sha1_hash": "a6d8fd004754c39886b261ce3e954ecda714785b",
	"title": "Behavior monitoring combined with machine learning spoils a massive Dofoil coin mining campaign | Microsoft Security Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 901267,
	"plain_text": "Behavior monitoring combined with machine learning spoils a\r\nmassive Dofoil coin mining campaign | Microsoft Security Blog\r\nBy Microsoft Defender Security Research Team\r\nPublished: 2018-03-07 · Archived: 2026-04-05 17:39:26 UTC\r\nUpdate: Further analysis of this campaign points to a poisoned update for a peer-to-peer (P2P) application. For\r\nmore information, read Poisoned peer-to-peer app kicked off Dofoil coin miner outbreak. To detect and\r\nrespond to Dofoil in corporate networks, read Hunting down Dofoil with Windows Defender ATP.\r\nJust before noon on March 6 (PST), Windows Defender Antivirus blocked more than 80,000 instances of several\r\nsophisticated trojans that exhibited advanced cross-process injection techniques, persistence mechanisms, and\r\nevasion methods. Behavior-based signals coupled with cloud-powered machine learning models uncovered this\r\nnew wave of infection attempts. The trojans, which are new variants of Dofoil (also known as Smoke Loader),\r\ncarry a coin miner payload. Within the next 12 hours, more than 400,000 instances were recorded, 73% of which\r\nwere in Russia. Turkey accounted for 18% and Ukraine 4% of the global encounters.\r\nFigure 1: Geographic distribution of the Dofoil attack components\r\nWindows Defender AV initially flagged the attack’s unusual persistence mechanism through behavior monitoring,\r\nwhich immediately sent this behavior-based signal to our cloud protection service.\r\n1. Within milliseconds, multiple metadata-based machine learning models in the cloud started blocking these\r\nthreats at first sight.\r\nhttps://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign/\r\nPage 1 of 7\n\n2. Seconds later, our sample-based and detonation-based machine learning models also verified the malicious\r\nclassification. Within minutes, detonation-based models chimed in and added additional confirmation.\r\n3. Within minutes, an anomaly detection alert notified us about a new potential outbreak.\r\n4. After analysis, our response team updated the classification name of this new surge of threats to the proper\r\nmalware families. People affected by these infection attempts early in the campaign would have seen\r\nblocks under machine learning names like Fuery, Fuerboos, Cloxer, or Azden. Later blocks show as the\r\nproper family names, Dofoil or Coinminer.\r\nWindows 10, Windows 8.1, and Windows 7 users running Windows Defender AV or Microsoft Security Essentials\r\nare all protected from this latest outbreak.\r\nFigure 2. Layered machine learning defenses in Windows Defender AV\r\nArtificial intelligence and behavior-based detection in Windows Defender AV has become one of the mainstays of\r\nour defense system. The AI-based pre-emptive protection provided against this attack is similar to how layered\r\nmachine learning defenses stopped an Emotet outbreak last month.\r\nCode injection and coin mining\r\nDofoil is the latest malware family to incorporate coin miners in attacks. Because the value of Bitcoin and other\r\ncryptocurrencies continues to grow, malware operators see the opportunity to include coin mining components in\r\ntheir attacks. For example, exploit kits are now delivering coin miners instead of ransomware. Scammers are\r\nadding coin mining scripts in tech support scam websites. And certain banking trojan families added coin mining\r\nbehavior.\r\nhttps://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign/\r\nPage 2 of 7\n\nThe Dofoil campaign we detected on March 6 started with a trojan that performs process hollowing on\r\nexplorer.exe. Process hollowing is a code injection technique that involves spawning a new instance of legitimate\r\nprocess (in this case c:\\windows\\syswow64\\explorer.exe) and then replacing the legitimate code with malware.\r\nFigure 3. Windows Defender ATP detection for process hollowing (SHA-256:\r\nd191ee5b20ec95fe65d6708cbb01a6ce72374b309c9bfb7462206a0c7e039f4d, detected by Windows Defender AV\r\nas TrojanDownloader:Win32/Dofoil.AB)\r\nThe hollowed explorer.exe process then spins up a second malicious instance, which drops and runs a coin mining\r\nmalware masquerading as a legitimate Windows binary, wuauclt.exe.\r\nFigure 4. Windows Defender ATP detection for coin mining malware (SHA-256:\r\n2b83c69cf32c5f8f43ec2895ec9ac730bf73e1b2f37e44a3cf8ce814fb51f120, detected by Windows Defender AV as\r\nTrojan:Win32/CoinMiner.D)\r\nhttps://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign/\r\nPage 3 of 7\n\nEven though it uses the name of a legitimate Windows binary, it’s running from the wrong location. The command\r\nline is anomalous compared to the legitimate binary. Additionally, the network traffic from this binary is\r\nsuspicious.\r\nFigure 5. Windows Defender ATP alert process tree showing anomalous IP communications\r\nFigure 6. Windows Defender ATP showing suspicious network activity\r\nFigure 7. Windows Defender ATP alert process tree showing hollowed explorer.exe process making suspicious\r\nconnections\r\nhttps://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign/\r\nPage 4 of 7\n\nDofoil uses a customized mining application. Based on its code, the coin miner supports NiceHash, which means\r\nit can mine different cryptocurrencies. The samples we analyzed mined Electroneum coins.\r\nPersistence\r\nFor coin miner malware, persistence is key. These types of malware employ various techniques to stay undetected\r\nfor long periods of time in order to mine coins using stolen computer resources.\r\nTo stay hidden, Dofoil modifies the registry. The hollowed explorer.exe process creates a copy of the original\r\nmalware in the Roaming AppData folder and renames it to ditereah.exe. It then creates a registry key or modifies\r\nan existing one to point to the newly created malware copy. In the sample we analyzed, the malware modified the\r\nOneDrive Run key.\r\nFigure 8. Windows Defender ATP alert process tree showing creation of new malware process (SHA-256:\r\nd191ee5b20ec95fe65d6708cbb01a6ce72374b309c9bfb7462206a0c7e039f4d) and registry modification\r\nCommand-and-control communication\r\nDofoil is an enduring family of trojan downloaders. These connect to command and control (C\u0026C) servers to\r\nlisten for commands to download and install malware. In the March 6 campaign, Dofoil’s C\u0026C communication\r\ninvolves the use of the decentralized Namecoin network infrastructure .\r\nThe hollowed explorer.exe process writes and runs another binary, D1C6.tmp.exe (SHA256:\r\n5f3efdc65551edb0122ab2c40738c48b677b1058f7dfcdb86b05af42a2d8299c) into the Temp folder.  D1C6.tmp.exe\r\nhttps://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign/\r\nPage 5 of 7\n\nthen drops and executes a copy of itself named lyk.exe. Once running, lyk.exe connects to IP addresses that act as\r\nDNS proxy servers for the Namecoin network. It then attempts to connect to the C\u0026C server vinik.bit inside the\r\nNameCoin infrastructure. The C\u0026C server commands the malware to connect or disconnect to an IP address;\r\ndownload a file from a certain URL and execute or terminate the specific file; or sleep for a period of time.\r\nFigure 9. Windows Defender ATP alert process tree showing creation of the temporary file, D1C6.tmp.exe\r\n(SHA256: 5f3efdc65551edb0122ab2c40738c48b677b1058f7dfcdb86b05af42a2d8299c)Figure 10. Windows\r\nDefender ATP alert process tree showing lyk.exe connecting to IP addresses\r\nStay protected with Windows 10\r\nWith the rise in valuation of cryptocurrencies, cybercriminal groups are launching more and more attacks to\r\ninfiltrate networks and quietly mine for coins.\r\nWindows Defender AV’s layered approach to security, which uses behavior-based detection algorithms, generics,\r\nand heuristics, as well as machine learning models in both the client and the cloud, provides real-time protection\r\nagainst new threats and outbreaks.\r\nAs demonstrated, Windows Defender Advanced Threat Protection (Windows Defender ATP) flags malicious\r\nbehaviors related to installation, code injection, persistence mechanisms, and coin mining activities. Security\r\noperations can use the rich detection libraries in Windows Defender ATP to detect and respond to anomalous\r\nactivities in the network. Windows Defender ATP also integrates protections from Windows Defender AV,\r\nhttps://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign/\r\nPage 6 of 7\n\nWindows Defender Exploit Guard, and Windows Defender Application Guard, providing a seamless security\r\nmanagement experience.\r\nTo test how Windows Defender ATP can help your organization detect, investigate, and respond to advanced\r\nattacks, sign up for a free trial.\r\nWindows 10 S, a special configuration of Windows 10, helps protect against coin miners and other threats.\r\nWindows 10 S works exclusively with apps from the Microsoft Store and uses Microsoft Edge as the default\r\nbrowser, providing Microsoft verified security.\r\nWindows Defender Research \r\nTalk to us\r\nQuestions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows\r\nDefender Security Intelligence.\r\nFollow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.\r\nSource: https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive\r\n-dofoil-coin-mining-campaign/\r\nhttps://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign/"
	],
	"report_names": [
		"behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign"
	],
	"threat_actors": [],
	"ts_created_at": 1775434506,
	"ts_updated_at": 1775791262,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a6d8fd004754c39886b261ce3e954ecda714785b.pdf",
		"text": "https://archive.orkl.eu/a6d8fd004754c39886b261ce3e954ecda714785b.txt",
		"img": "https://archive.orkl.eu/a6d8fd004754c39886b261ce3e954ecda714785b.jpg"
	}
}