{
	"id": "e1982aec-7f54-4755-ae9e-d8dbe4e3802c",
	"created_at": "2026-04-10T03:20:57.488696Z",
	"updated_at": "2026-04-10T13:12:33.604362Z",
	"deleted_at": null,
	"sha1_hash": "b02afb51955357617d211eb32e2cfd48456d554f",
	"title": "Stantinko botnet adds cryptomining to its pool of criminal activities",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 136000,
	"plain_text": "Stantinko botnet adds cryptomining to its pool of criminal\r\nactivities\r\nBy Vladislav Hrčka\r\nArchived: 2026-04-10 02:54:59 UTC\r\nThe operators of the Stantinko botnet have expanded their toolset with a new means of profiting from the\r\ncomputers under their control. The roughly half-million-strong botnet – known to have been active since at least\r\n2012 and mainly targeting users in Russia, Ukraine, Belarus and Kazakhstan – now distributes a cryptomining\r\nmodule. Mining Monero, a cryptocurrency whose exchange rate has oscillated in 2019 between US$50 and\r\nUS$110, has been the botnet’s monetizing functionality since at least August 2018. Before that, the botnet\r\nperformed click fraud, ad injection, social network fraud and password stealing attacks.\r\nIn this article, we describe Stantinko’s cryptomining module and provide an analysis of its functionality.\r\nThis module’s most notable feature is the way it is obfuscated to thwart analysis and avoid detection. Due to the\r\nuse of source level obfuscations with a grain of randomness and the fact that Stantinko’s operators compile this\r\nmodule for each new victim, each sample of the module is unique.\r\nWe will describe the module’s obfuscation techniques and offer, in a separate article for fellow malware analysts, a\r\npossible approach to deal with some of them.\r\nSince Stantinko is constantly developing new and improving its existing custom obfuscators and modules, which\r\nare heavily obfuscated, it would be backbreaking to track each minor improvement and change that it introduces.\r\nTherefore, we decided to mention and describe only what we believe are significant adjustments in comparison\r\nwith earlier samples relative to the state in which the module is to be described. After all, we intend just to\r\ndescribe the module as it currently is in this article.\r\nModified open-source cryptominer\r\nStantinko’s cryptomining module, which exhausts most of the resources of the compromised machine by mining a\r\ncryptocurrency, is a highly modified version of the xmr-stak open-source cryptominer. All unnecessary strings and\r\neven whole functionalities were removed in attempts to evade detection. The remaining strings and functions are\r\nheavily obfuscated. ESET security products detect this malware as Win{32,64}/CoinMiner.Stantinko.\r\nUse of mining proxies\r\nCoinMiner.Stantinko doesn’t communicate with its mining pool directly, but via proxies whose IP addresses are\r\nacquired from the description text of YouTube videos. A similar technique to hide data in descriptions of YouTube\r\nvideos is used by the banking malware Casbaneiro. Casbaneiro uses much more legitimate-looking channels and\r\ndescriptions, but for much the same purpose: storing encrypted C\u0026Cs.\r\nhttps://www.welivesecurity.com/2019/11/26/stantinko-botnet-adds-cryptomining-criminal-activities/\r\nPage 1 of 11\n\nThe description of such a video consists of a string composed of mining proxy IP addresses in hexadecimal\r\nformat. For example, the YouTube video seen in Figure 1 has the description “03101f1712dec626“, which\r\ncorresponds to two IP addresses in hexadecimal format – 03101f17 corresponds to 3.16.31[.]23 in decimal dotted-quad format, and 12dec626 is 18.222.198[.]38. As of the time of writing, the format has been slightly adjusted.\r\nThe IP addresses are currently enclosed in “!!!!”, which simplifies the very process of parsing and prevents\r\npossible changes of the YouTube video HTML structure turning the parser dysfunctional.\r\nFigure 1. Example YouTube video whose description provides an IP address for the module’s communication with\r\nthe mining pool\r\nIn earlier versions, the YouTube URL was hardcoded in the CoinMiner.Stantinko binary. Currently the module\r\nreceives a video identifier as a command line parameter instead. This parameter is then used to construct the\r\nYouTube URL, in the form https://www.youtube.com/watch?v=%PARAM%. The cryptomining module is\r\nexecuted either by Stantinko’s BEDS component, or by rundll32.exe via a batch file that we have not captured,\r\nwith the module loaded from a local file system location of the form\r\n%TEMP%\\%RANDOM%\\%RANDOM_GUID%.dll.\r\nWe informed YouTube of this abuse; all the channels containing these videos were taken down.\r\nCryptomining capabilities\r\nhttps://www.welivesecurity.com/2019/11/26/stantinko-botnet-adds-cryptomining-criminal-activities/\r\nPage 2 of 11\n\nWe have divided the cryptomining module into four logical parts, which represent distinct sets of capabilities. The\r\nmain part performs the actual cryptomining; the other parts of the module are responsible for additional functions:\r\nsuspending other (i.e. competing) cryptomining applications\r\ndetecting security software\r\nsuspending the cryptomining function if the PC is on battery power or when a task manager is detected, to\r\nprevent being revealed by the user\r\nCryptomining\r\nAt the very core of the cryptomining function lies the process of hashing, and communication with the proxy. The\r\nmethod of obtaining the list of mining proxies is described above; CoinMiner.Stantinko sets the communication\r\nwith the first mining proxy it finds alive.\r\nIts communication takes place over TCP and is encrypted by RC4 with a key consisting of the first 26 characters\r\nof the number pi (including the decimal separator, hardcoded in the string \"3,141592653589793238462643\") and\r\nthen base64 encoded; the same key is used in all samples we have seen.\r\nThe code of the hashing algorithm is downloaded from the mining proxy at the beginning of the communication\r\nand loaded into memory – either directly or, in earlier versions, from the library libcr64.dll that is first dropped\r\nonto the disk.\r\nDownloading the hashing code with each execution enables the Stantinko group to change this code on the fly.\r\nThis change makes it possible, for example, to adapt to adjustments of algorithms in existing currencies and to\r\nswitch to mining other cryptocurrencies in order, perhaps, to mine the most profitable cryptocurrency at the\r\nmoment of execution. The main benefit of downloading the core part of the module from a remote server and\r\nloading it directly into memory is that this part of the code is never stored on disk. This additional adjustment,\r\nwhich is not present in earlier version, is aimed at complicating detection because patterns in these algorithms are\r\ntrivial for security products to detect.\r\nAll instances of Stantinko’s cryptomining module we’ve analyzed mine Monero. We deduced this from the jobs\r\nprovided by the mining proxy and the hashing algorithm. For example, Figure 2 is a job sent by one of the\r\nproxies.\r\n{\"error\":null,\"result\":{\"status\":\"OK\"}}\r\n{\"method\":\"job\",\"params\":\"blob\":\"0b0bbfdee1e50567042dcfdfe96018227f25672544521f8ee2564cf8b4c3139a6\r\na88c5f0b32664000000a1c8ee5c185ed2661daab9d0c454fd40e9f53f0267fe391bdb4eb4690395deb360\r\n18\",\"job_id\":\"281980000000000a10\",\"target\":\"67d81500\",\"height\":1815711}}\r\nFigure 2. Example mining job received from a mining pool proxy\r\nWe analyzed the hashing algorithm used and found that it was CryptoNight R. Since there are multiple\r\ncryptocurrencies that use this algorithm, its recognition alone isn’t sufficient; it just shortens the list. One can see\r\nin the provided job that the height of the blockchain was 1815711 at the time, so we had to find currencies using\r\nCryptoNight R with this height on dedicated block explorers which lead us to Monero. Dissecting the string\r\n0b0bbfdee1e50567042dcfdfe96018227f25672544521f8ee2564cf8b4c3139a6a88c5f0b32664000000a1c8ee5c18\r\nhttps://www.welivesecurity.com/2019/11/26/stantinko-botnet-adds-cryptomining-criminal-activities/\r\nPage 3 of 11\n\n5ed2661daab9d0c454fd40e9f53f0267fe391bdb4eb4690395deb36018 reveals that the hash of the previous block\r\n(67042dcfdfe96018227f25672544521f8ee2564cf8b4c3139a6a88c5f0b32664) and timestamp (1555590859)\r\nindeed fits into Monero’s blockchain at the height of 1815711. One can find the structure of the blob by examining\r\nits generator function in the source code of Monero . The generator function exposes another structure called a\r\nblock header which contains both the hash of the previous block and timestamp.\r\nUnlike the rest of CoinMiner.Stantinko, the hashing algorithm isn’t obfuscated, since obfuscation would\r\nsignificantly impair the speed of hash calculation and hence overall performance and profitability. However, the\r\nauthors still made sure not to leave any meaningful strings or artifacts behind.\r\nSuspension of other cryptominers\r\nThe malware enumerates running processes searching for other cryptominers. If any competitors are found,\r\nStantinko suspends all their threads.\r\nCoinMiner.Stantinko considers a process to be a cryptominer if its command line contains a particular string, or a\r\ncombination, which vary from sample to sample; for example:\r\nminerd\r\nminergate\r\nxmr\r\ncpservice\r\nvidservice and stratum+tcp://\r\nstratum://\r\n-u and pool\r\n\"-u and pool\r\n\"-u and xmr\r\n-u and xmr\r\n-u and mining\r\n\"-u and mining\r\n-encodedcommand and exe\r\n--donate-level\r\nwindows and -c and cfgi\r\nregsvr32 and /n and /s and /q\r\napplication data and exe\r\nappdata and exe\r\nThese strings refer to the following legitimate cryptominers: https://github.com/pooler/cpuminer,\r\nhttps://minergate.com/, https://github.com/xmrig, and even https://github.com/fireice-uk/xmr-stak – which,\r\ninterestingly, is the very miner this Stantinko module is based on. The strings also lead to various uninteresting\r\nmalware samples containing cryptomining functionality.\r\nOf interest is that the Stantinko operators are known to have tried to get rid of competing code in the past.\r\nHowever, they relied on the legitimate AVZ Antiviral Toolkit fed with a script written in its built-in scripting\r\nlanguage for this task.\r\nhttps://www.welivesecurity.com/2019/11/26/stantinko-botnet-adds-cryptomining-criminal-activities/\r\nPage 4 of 11\n\nDetection prevention\r\nCoinMiner.Stantinko temporarily suspends mining if it detects there's no power supply connected to the machine.\r\nThis measure, evidently aimed at portable computers, prevents fast battery draining … which might raise the\r\nuser’s suspicion.\r\nAlso, it temporarily suspends mining if a task manager application (a process named procexp64.exe, procexp.exe\r\nor taskmgr.exe) is detected running.\r\nThe malware also scans running processes to find security software and again task managers. It calculates the\r\nCRC-32 of the process’s name and then checks it against a hardcoded list of CRC-32 checksums, which is\r\nincluded in the Appendix. In general this technique can help evade detection, since the process names of those\r\nsecurity products are not included in the binary – adding a bit more stealth by not containing the process names\r\ndirectly. It also makes it harder for analysts to find out what the malware authors are after because one has to crack\r\nthese hashes, which is technically the same problem as password cracking. However, using a list of known process\r\nnames is usually sufficient to determine the exact names.\r\nShould a CRC-32 match be found, the CRC is written to a log file (api-ms-win-crt-io-l1-1-0.dll). The log file is\r\npresumably exfiltrated later by some Stantinko component that we have not seen, since there’s no other\r\nfunctionality related to it in this module.\r\nObfuscation\r\nBesides its cryptomining features, CoinMiner.Stantinko is notable also for its obfuscation techniques aimed at\r\navoiding detection and thwarting analysis. Some of those techniques are unique and we will describe them in\r\ndetail in a follow-up article.\r\nConclusion\r\nOur discovery shows that the criminals behind Stantinko continue to expand the ways they leverage the botnet\r\nthey control. Their previous innovations were distributed dictionary-based attacks on Joomla and WordPress web\r\nsites aimed at harvesting server credentials, probably with the goal of selling them to other criminals.\r\nThis remotely configured cryptomining module, distributed since at least August of 2018 and still active at the\r\ntime of writing, shows this group continues to innovate and extend its money-making capabilities. Besides its\r\nstandard cryptomining functionality, the module employs some interesting obfuscation techniques that we will\r\ndisclose, along with some possible countermeasures, in an upcoming article.\r\nIndicators of Compromise (IoCs)\r\nESET detection names\r\nWin32/CoinMiner.Stantinko\r\nWin64/CoinMiner.Stantinko\r\nhttps://www.welivesecurity.com/2019/11/26/stantinko-botnet-adds-cryptomining-criminal-activities/\r\nPage 5 of 11\n\nSHA-1\r\nA full list of more than 1,000 hashes is available from our GitHub repository.\r\n00F0AED42011C9DB7807383868AF82EF5454FDD8\r\n01504C2CE8180D3F136DC3C8D6DDDDBD2662A4BF\r\n0177DDD5C60E9A808DB4626AB3161794E08DEF74\r\n01A53BAC150E5727F12E96BE5AAB782CDEF36713\r\n01BFAD430CFA034B039AC9ACC98098EB53A1A703\r\n01FE45376349628ED402D8D74868E463F9047C30\r\nFilenames\r\napi-ms-win-crt-io-l1-1-0.dll\r\nlibcr64.dll\r\nC:\\Windows\\TEMP\\%RANDOM%\\%RANDOM_GUID%.dll\r\nMutex name and RC4 key\r\n“3,141592653589793238462643”\r\nYouTube URLs with mining proxy configuration data\r\nhttps://www.youtube[.]com/watch?v=kS1jXg99WiM\r\nhttps://www.youtube[.]com/watch?v=70g4kw2iRGo\r\nhttps://www.youtube[.]com/watch?v=cAW1xEpyr7Y\r\nhttps://www.youtube[.]com/watch?v=6SSKQdE5Vjo\r\nhttps://www.youtube[.]com/watch?v=fACKZewW22M\r\nhttps://www.youtube[.]com/watch?v=FDQOa5zCv3s\r\nhttps://www.youtube[.]com/watch?v=TpyOURRvFmE\r\nhttps://www.youtube[.]com/watch?v=2fpiR4NIpsU\r\nhttps://www.youtube[.]com/watch?v=TwnD0Kp_Ohc\r\nhttps://www.youtube[.]com/watch?v=wJsbj8zPPNs\r\nIP addresses of mining proxies\r\n• 3.16.150[.]123\r\n• 3.16.152[.]201\r\n• 3.16.152[.]64\r\n• 3.16.167[.]92\r\n• 3.16.30[.]155\r\n• 3.16.31[.]23\r\n• 3.17.167[.]43\r\n• 3.17.23[.]144\r\nhttps://www.welivesecurity.com/2019/11/26/stantinko-botnet-adds-cryptomining-criminal-activities/\r\nPage 6 of 11\n\n• 3.17.25[.]11\r\n• 3.17.59[.]6\r\n• 3.17.61[.]161\r\n• 3.18.108[.]152\r\n• 3.18.223[.]195\r\n• 13.58.182[.]92\r\n• 13.58.22[.]81\r\n• 13.58.77[.]225\r\n• 13.59.31[.]61\r\n• 18.188.122[.]218\r\n• 18.188.126[.]190\r\n• 18.188.249[.]210\r\n• 18.188.47[.]132\r\n• 18.188.93[.]252\r\n• 18.191.104[.]117\r\n• 18.191.173[.]48\r\n• 18.191.216[.]242\r\n• 18.191.230[.]253\r\n• 18.191.241[.]159\r\n• 18.191.47[.]76\r\n• 18.216.127[.]143\r\n• 18.216.37[.]78\r\n• 18.216.55[.]205\r\n• 18.216.71[.]102\r\n• 18.217.146[.]44\r\n• 18.217.177[.]214\r\n• 18.218.20[.]166\r\n• 18.220.29[.]72\r\n• 18.221.25[.]98\r\n• 18.221.46[.]136\r\n• 18.222.10[.]104\r\n• 18.222.187[.]174\r\n• 18.222.198[.]38\r\n• 18.222.213[.]203\r\n• 18.222.253[.]209\r\n• 18.222.56[.]98\r\n• 18.223.111[.]224\r\n• 18.223.112[.]155\r\n• 18.223.131[.]52\r\n• 18.223.136[.]87\r\n• 18.225.31[.]210\r\n• 18.225.32[.]44\r\nhttps://www.welivesecurity.com/2019/11/26/stantinko-botnet-adds-cryptomining-criminal-activities/\r\nPage 7 of 11\n\n• 18.225.7[.]128\r\n• 18.225.8[.]249\r\n• 52.14.103[.]72\r\n• 52.14.221[.]47\r\n• 52.15.184[.]25\r\n• 52.15.222[.]174\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Description\r\nExecution\r\nT1085 Rundll32 The module can be executed by rundll32.exe.\r\nT1035 Service Execution The malware can be executed as a service.\r\nDefense\r\nEvasion\r\nT1140\r\nDeobfuscate/Decode Files\r\nor Information\r\nThe module deobfuscates strings in its code\r\nduring the execution process.\r\nT1027\r\nObfuscated Files or\r\nInformation\r\nThe module obfuscates its code and strings in an\r\napparent attempt to make analysis and detection\r\ndifficult.\r\nT1102 Web Service\r\nThe malware acquires configuration data from\r\ndescription of YouTube videos.\r\nDiscovery T1063\r\nSecurity Software\r\nDiscovery\r\nThe malware acquires a list of running security\r\nproducts.\r\nCommand and\r\nControl\r\nT1090 Connection Proxy\r\nThe module uses proxies between itself and the\r\nmining pool.\r\nT1008 Fallback Channels\r\nThe module connects to another mining proxy if\r\nthe initial one is inaccessible.\r\nT1095\r\nStandard Non-Application\r\nLayer Protocol\r\nThe malware uses TCP for its communications.\r\nT1043 Commonly Used Port The malware communicates over port 443.\r\nT1132 Data Encoding\r\nThe module encrypts then base64 encodes some\r\nnetwork traffic.\r\nT1032\r\nStandard Cryptographic\r\nProtocol\r\nThe module encrypts traffic with RC4.\r\nT1071\r\nStandard Application Layer\r\nProtocol\r\nAcquires configuration data from description of\r\nYouTube videos via HTTPS.\r\nhttps://www.welivesecurity.com/2019/11/26/stantinko-botnet-adds-cryptomining-criminal-activities/\r\nPage 8 of 11\n\nTactic ID Name Description\r\nImpact T1496 Resource Hijacking The module mines cryptocurrency.\r\nAppendix\r\nCRC-32 checksums checked by CoinMiner.Stantinko and the filenames they equate to are listed below.\r\n0xB18362C7 afwserv.exe\r\n0x05838A63 ashdisp.exe\r\n0x36C5019C ashwebsv.exe\r\n0xB3C17664 aswidsagent.exe\r\n0x648E8307 avastsvc.exe\r\n0x281AC78F avastui.exe\r\n0xAA0D8BF4 avgcsrva.exe\r\n0x71B621D6 avgcsrvx.exe\r\n0x7D6D668A avgfws.exe\r\n0x1EF12475 avgidsagent.exe\r\n0x010B6C80 avgmfapx.exe\r\n0x6E691216 avgnsa.exe\r\n0xB5D2B834 avgnsx.exe\r\n0x36602D00 avgnt.exe\r\n0x222EBF57 avgrsa.exe\r\n0xF9951575 avgrsx.exe\r\n0x2377F90C avgsvc.exe\r\n0x37FAB74F avgsvca.exe\r\n0xEC411D6D avgsvcx.exe\r\n0x0BED9FA2 avgtray.exe\r\n0x168022D0 avguard.exe\r\n0x99BA6EAA avgui.exe\r\nhttps://www.welivesecurity.com/2019/11/26/stantinko-botnet-adds-cryptomining-criminal-activities/\r\nPage 9 of 11\n\n0xB18362C7 afwserv.exe\r\n0x7A77BA28 avguix.exe\r\n0x0D22F74A avgwdsvc.exe\r\n0x98313E09 avira.servicehost.exe\r\n0x507E7C15 avira.systray.exe\r\n0xFF934F08 avp.exe\r\n0x9AC5F806 avpui.exe\r\n0xBD07F203 avshadow.exe\r\n0x64FDC22A avwebg7.exe\r\n0x0BC69161 avwebgrd.exe\r\n0xBACF2EAC cureit.exe\r\n0x8FDEA9A9 drwagntd.exe\r\n0xE1856E76 drwagnui.exe\r\n0xF9BF908E drwcsd.exe\r\n0xC84AB1DA drwebcom.exe\r\n0x183AA5AC drwebupw.exe\r\n0xAC255C5E drwupsrv.exe\r\n0x23B9BE14 dwantispam.exe\r\n0xDAC9F2B7 dwarkdaemon.exe\r\n0x7400E3CB dwengine.exe\r\n0x73982213 dwnetfilter.exe\r\n0x1C6830BC dwscanner.exe\r\n0x86D81873 dwservice.exe\r\n0xB1D6E120 dwwatcher.exe\r\n0xD56C1E6F egui.exe\r\n0x69DD7DB4 ekrn.exe\r\n0xFB1C0526 guardgui.exe\r\nhttps://www.welivesecurity.com/2019/11/26/stantinko-botnet-adds-cryptomining-criminal-activities/\r\nPage 10 of 11\n\n0xB18362C7 afwserv.exe\r\n0x5BC1D859 ipmgui.exe\r\n0x07711AAE ksde.exe\r\n0x479CB9C4 ksdeui.exe\r\n0x6B026A91 nod32cc.exe \r\n0xCFFC2DBB nod32krn.exe\r\n0x59B8DF4D nod32kui.exe\r\n0x998B5896 procexp.exe\r\n0xF3EEEFA8 procexp64.exe\r\n0x81C16803 sched.exe\r\n0x31F6B864 spideragent.exe\r\n0x822C2BA2 taskmgr.exe\r\n0x092E6ADA updrgui.exe\r\n0x09375DFF wsctool.exe\r\nSource: https://www.welivesecurity.com/2019/11/26/stantinko-botnet-adds-cryptomining-criminal-activities/\r\nhttps://www.welivesecurity.com/2019/11/26/stantinko-botnet-adds-cryptomining-criminal-activities/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.welivesecurity.com/2019/11/26/stantinko-botnet-adds-cryptomining-criminal-activities/"
	],
	"report_names": [
		"stantinko-botnet-adds-cryptomining-criminal-activities"
	],
	"threat_actors": [],
	"ts_created_at": 1775791257,
	"ts_updated_at": 1775826753,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b02afb51955357617d211eb32e2cfd48456d554f.pdf",
		"text": "https://archive.orkl.eu/b02afb51955357617d211eb32e2cfd48456d554f.txt",
		"img": "https://archive.orkl.eu/b02afb51955357617d211eb32e2cfd48456d554f.jpg"
	}
}