{
	"id": "f0f320f1-cead-4742-b229-07e84e6f6f12",
	"created_at": "2026-04-06T00:13:33.169677Z",
	"updated_at": "2026-04-10T03:19:56.183274Z",
	"deleted_at": null,
	"sha1_hash": "a9b22e90eccd3d17e0474471202b4e30ade9d10c",
	"title": "When coin miners evolve, Part 1: Exposing LemonDuck and LemonCat, modern mining malware infrastructure | Microsoft Security Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 401390,
	"plain_text": "When coin miners evolve, Part 1: Exposing LemonDuck and\r\nLemonCat, modern mining malware infrastructure | Microsoft\r\nSecurity Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2021-07-22 · Archived: 2026-04-05 19:19:16 UTC\r\n[Note: In this two-part blog series, we expose a modern malware infrastructure and provide guidance for\r\nprotecting against the wide range of threats it enables. Part 1 covers the evolution of the threat, how it spreads,\r\nand how it impacts organizations. Part 2 is a deep dive on the attacker behavior and will provide investigation\r\nguidance.]\r\nCombating and preventing today’s threats to enterprises require comprehensive protection focused on addressing\r\nthe full scope and impact of attacks. Anything that can gain access to machines—even so-called commodity\r\nmalware—can bring in more dangerous threats. We’ve seen this in banking Trojans serving as entry point for\r\nransomware and hands-on-keyboard attacks. LemonDuck, an actively updated and robust malware that’s primarily\r\nknown for its botnet and cryptocurrency mining objectives, followed the same trajectory when it adopted more\r\nsophisticated behavior and escalated its operations. Today, beyond using resources for its traditional bot and\r\nmining activities, LemonDuck steals credentials, removes security controls, spreads via emails, moves laterally,\r\nand ultimately drops more tools for human-operated activity.\r\nLemonDuck’s threat to enterprises is also in the fact that it’s a cross-platform threat. It’s one of a few documented\r\nbot malware families that targets Linux systems as well as Windows devices. It uses a wide range of spreading\r\nmechanisms—phishing emails, exploits, USB devices, brute force, among others—and it has shown that it can\r\nquickly take advantage of news, events, or the release of new exploits to run effective campaigns. For example, in\r\n2020, it was observed using COVID-19-themed lures in email attacks. In 2021, it exploited newly patched\r\nExchange Server vulnerabilities to gain access to outdated systems.\r\nThis threat, however, does not just limit itself to new or popular vulnerabilities. It continues to use older\r\nvulnerabilities, which benefit the attackers at times when focus shifts to patching a popular vulnerability rather\r\nthan investigating compromise. Notably, LemonDuck removes other attackers from a compromised device by\r\ngetting rid of competing malware and preventing any new infections by patching the same vulnerabilities it used\r\nto gain access.\r\nIn the early years, LemonDuck targeted China heavily, but its operations have since expanded to include many\r\nother countries, focusing on the manufacturing and IoT sectors. Today, LemonDuck impacts a very large\r\ngeographic range, with the United States, Russia, China, Germany, the United Kingdom, India, Korea, Canada,\r\nFrance, and Vietnam seeing the most encounters.\r\nhttps://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/\r\nPage 1 of 8\n\nFigure 1. Global distribution of LemonDuck botnet activity\r\nIn 2021, LemonDuck campaigns started using more diversified command and control (C2) infrastructure and\r\ntools. This update supported the marked increase in hands-on-keyboard actions post-breach, which varied\r\ndepending on the perceived value of compromised devices to the attackers. Despite all these upgrades, however,\r\nLemonDuck still utilizes C2s, functions, script structures, and variable names for far longer than the average\r\nmalware. This is likely due to its use of bulletproof hosting providers such as Epik Holdings, which are unlikely to\r\ntake any part of the LemonDuck infrastructure offline even when reported for malicious actions, allowing\r\nLemonDuck to persist and continue to be a threat.\r\nIn-depth research into malware infrastructures of various sizes and operations provides invaluable insight into the\r\nbreadth of threats that organizations face today. In the case of LemonDuck, the threat is cross-platform, persistent,\r\nand constantly evolving. Research like this emphasizes the importance of having comprehensive visibility into the\r\nwide range of threats, as well as the ability to correlate simple, disparate activity such as coin mining to more\r\ndangerous adversarial attacks.\r\nLemonDuck and LemonCat infrastructure\r\nThe earliest documentation of LemonDuck was from its cryptocurrency campaigns in May 2019. These\r\ncampaigns included PowerShell scripts that employed additional scripts kicked off by a scheduled task. The task\r\nwas used to bring in the PCASTLE tool to achieve a couple of goals: abuse the EternalBlue SMB exploit, as well\r\nas use brute force or pass-the-hash to move laterally and begin the operation again. Many of these behaviors are\r\nstill observed in LemondDuck campaigns today.\r\nLemonDuck is named after the variable “Lemon_Duck” in one of the said PowerShell scripts. The variable is\r\noften used as the user agent, in conjunction with assigned numbers, for infected devices. The format used two sets\r\nof alphabetical characters separated by dashes, for example: “User-Agent: Lemon-Duck-[A-Z]-[A-Z]”. The term\r\nstill appears in PowerShell scripts, as well as in many of the execution scripts, specifically in a function called\r\nSIEX, which is used to assign a unique user-agent during botnet connection in attacks as recently as June 2021.\r\nhttps://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/\r\nPage 2 of 8\n\nLemonDuck frequently utilizes open-source material built off of resources also used by other botnets, so there are\r\nmany components of this threat that would seem familiar. Microsoft researchers are aware of two distinct\r\noperating structures, which both use the LemonDuck malware but are potentially operated by two different entities\r\nfor separate goals.\r\nThe first, which we call the “Duck” infrastructure, uses historical infrastructures discussed in this report. It is\r\nhighly consistent in running campaigns and performs limited follow-on activities. This infrastructure is seldom\r\nseen in conjunction with edge device compromise as an infection method, and is more likely to have random\r\ndisplay names for its C2 sites, and is always observed utilizing “Lemon_Duck” explicitly in script.\r\nThe second infrastructure, which we call “Cat” infrastructure—for primarily using two domains with the word\r\n“cat” in them (sqlnetcat[.]com, netcatkit[.]com)—emerged in January 2021. It was used in attacks exploiting\r\nvulnerabilities in Microsoft Exchange Server. Today, the Cat infrastructure is used in attacks that typically result in\r\nbackdoor installation, credential and data theft, and malware delivery. It is often seen delivering the malware\r\nRamnit.\r\nSample Duck domains Sample Cat domains\r\ncdnimages[.]xyz\r\nbb3u9[.]com\r\nzz3r0[.]com\r\npp6r1[.]com\r\namynx[.]com\r\nackng[.]com\r\nhwqloan[.]com\r\njs88[.]ag\r\nzer9g[.]com\r\nb69kq[.]com\r\nsqlnetcat[.]com\r\nnetcatkit[.]com\r\ndown[.]sqlnetcat[.]com\r\nThe Duck and Cat infrastructures use similar subdomains, and they use the same task names, such as “blackball”.\r\nBoth infrastructures also utilize the same packaged components hosted on similar or identical sites for their\r\nmining, lateral movement, and competition-removal scripts, as well as many of the same function calls.\r\nhttps://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/\r\nPage 3 of 8\n\nThe fact that the Cat infrastructure is used for more dangerous campaigns does not deprioritize malware infections\r\nfrom the Duck infrastructure. Instead, this intelligence adds important context for understanding this threat: the\r\nsame set of tools, access, and methods can be re-used at dynamic intervals, to greater impact. Despite common\r\nimplications that cryptocurrency miners are less threatening than other malware, its core functionality mirrors\r\nnon-monetized software, making any botnet infection worthy of prioritization.\r\nFigure 2. LemonDuck attack chain from the Duck and Cat infrastructures\r\nInitial access\r\nLemonDuck spreads in a variety of ways, but the two main methods are (1) compromises that are either edge-initiated or facilitated by bot implants moving laterally within an organization, or (2) bot-initiated email\r\ncampaigns.\r\nLemonDuck acts as a loader for many other follow-on activities, but one if its main functions is to spread by\r\ncompromising other systems. Since its first appearance, the LemonDuck operators have leveraged scans against\r\nboth Windows and Linux devices for open or weakly authenticated SMB, Exchange, SQL, Hadoop, REDIS, RDP,\r\nor other edge devices that might be vulnerable to password spray or application vulnerabilities like CVE-2017-\r\n0144 (EternalBlue), CVE-2017-8464 (LNK RCE), CVE-2019-0708 (BlueKeep), CVE-2020-0796 (SMBGhost),\r\nCVE-2021-26855 (ProxyLogon), CVE-2021-26857 (ProxyLogon), CVE-2021-26858 (ProxyLogon), and CVE-2021-27065 (ProxyLogon).\r\nOnce inside a system with an Outlook mailbox, as part of its normal exploitation behavior, LemonDuck attempts\r\nto run a script that utilizes the credentials present on the device. The script instructs the mailbox to send copies of\r\na phishing message with preset messages and attachments to all contacts.\r\nBecause of this method of contact messaging, security controls that rely on determining if an email is sent from a\r\nsuspicious sender don’t apply. This means that email security policies that reduce scanning or coverage for\r\nhttps://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/\r\nPage 4 of 8\n\ninternal mail need to be re-evaluated, as sending emails through contact scraping is very effective at bypassing\r\nemail controls.\r\nFrom mid-2020 to March 2021, LemonDuck’s email subjects and body content have remained static, as have the\r\nattachment names and formats. These attachment names and formats have changed very little from similar\r\ncampaigns that occurred in early 2020.\r\nSample email subjects Sample email body content\r\nThe Truth of COVID-19\r\nCOVID-19 nCov Special\r\ninfo WHO\r\nHALTH\r\nADVISORY:CORONA\r\nVIRUS\r\nWTF\r\nWhat the fcuk\r\ngood bye\r\nfarewell letter\r\nbroken file\r\nThis is your order?\r\nVirus actually comes from United States of\r\nAmerica\r\nvery important infomation for Covid-19\r\nsee attached document for your action and\r\ndiscretion.\r\nthe outbreak of CORONA VIRUS is cause of\r\nconcern especially where forign personal have\r\nrecently arrived or will be arriving at various intt\r\nin near future.\r\nwhat’s wrong with you?are you out of your\r\nmind!!!!!\r\nare you out of your mind!!!!!what ‘s wrong with\r\nyou?\r\ngood bye, keep in touch\r\ncan you help me to fix the file,i can’t read it\r\nfile is brokened, i can’t open it\r\nThe attachment used for these lures is one of three types: .doc, .js, or a .zip containing a .js file. Whatever the type,\r\nthe file is named “readme”. Occasionally, all three types are present in the same email.\r\nhttps://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/\r\nPage 5 of 8\n\nFigure 3. Sample email\r\nWhile the JavaScript is detected by many security vendors, it might be classified with generic detection names. It\r\ncould be valuable for organizations to sanitize JavaScript or VBScript executing or calling prompts (such as\r\nPowerShell) directly from mail downloads through solutions such as custom detection rules.\r\nSince LemonDuck began operating, the .zip to .js file execution method is the most common. The JavaScript has\r\nreplaced the scheduled task that LemonDuck previously used to kickstart the PowerShell script. This PowerShell\r\nscript has looked very similar throughout 2020 and 2021, with minor changes depending on the version, indicating\r\ncontinued development. Below is a comparison of changes from the most recent iterations of the email-delivered\r\ndownloads and those from April of 2020.\r\nhttps://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/\r\nPage 6 of 8\n\nAfter the emails are sent, the inbox is cleaned to remove traces of these mails. This method of self-spreading is\r\nattempted on any affected device that has a mailbox, regardless of whether it is an Exchange server.\r\nOther common methods of infection include movement within the compromised environment, as well as through\r\nUSB and connected drives. These processes are often kicked off automatically and have occurred consistently\r\nthroughout the entirety of LemonDuck’s operation.\r\nThese methods run as a series of C# scripts that gather available drives for infection. They also create a running\r\nlist of drives that are already infected based on whether it finds the threat already installed. Once checked against\r\nthe running list of infected drives, these scripts attempt to create a set of hidden files in the home directory,\r\nincluding a copy of readme.js. Any device that has been affected by the LemonDuck implants at any time could\r\nhave had any number of drives attached to it that are compromised in this manner. This makes this behavior a\r\npossible entry vector for additional attacks.\r\nComprehensive protection against a wide-ranging malware operation\r\nThe cross-domain visibility and coordinated defense delivered by Microsoft 365 Defender is designed for the wide\r\nrange and increasing sophistication of threats that LemonDuck exemplifies. Microsoft 365 Defender has AI-powered industry-leading protections that can stop multi-component threats like LemonDuck across domains and\r\nacross platforms. Microsoft 365 Defender for Office 365 detects the malicious emails sent by the LemonDuck\r\nhttps://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/\r\nPage 7 of 8\n\nbotnet to deliver malware payloads as well as spread the bot loader. Microsoft Defender for Endpoint detects and\r\nblocks LemonDuck implants, payloads, and malicious activity on Linux and Windows.\r\nMore importantly, Microsoft 365 Defender provides rich investigation tools that can expose detections of\r\nLemonDuck activity, including attempts to compromise and gain a foothold on the network, so security operations\r\nteams can efficiently and confidently respond to and resolve these attacks. Microsoft 365 Defender correlates\r\ncross-platform, cross-domain signals to paint the end-to-end attack chain, allowing organizations to see the full\r\nimpact of an attack. We also published a threat analytics article on this threat. Microsoft 365 Defender customers\r\ncan use this report to get important technical details, guidance for investigation, consolidated incidents, and steps\r\nto mitigate this threat in particular and modern cyberattacks in general.\r\nIn Part 2 of this blog series, we share our in-depth technical analysis of the malicious actions that follow a\r\nLemonDuck infection. These include general, automatic behavior as well as human-initialized behavior. We will\r\nalso provide guidance for investigating LemonDuck attacks, as well as mitigation recommendations for\r\nstrengthening defenses against these attacks. READ: When coin miners evolve, Part 2: Hunting down\r\nLemonDuck and LemonCat attacks.\r\nMicrosoft 365 Defender Threat Intelligence Team\r\nSource: https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mi\r\nning-malware-infrastructure/\r\nhttps://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/"
	],
	"report_names": [
		"when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure"
	],
	"threat_actors": [],
	"ts_created_at": 1775434413,
	"ts_updated_at": 1775791196,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a9b22e90eccd3d17e0474471202b4e30ade9d10c.pdf",
		"text": "https://archive.orkl.eu/a9b22e90eccd3d17e0474471202b4e30ade9d10c.txt",
		"img": "https://archive.orkl.eu/a9b22e90eccd3d17e0474471202b4e30ade9d10c.jpg"
	}
}