{ "id": "7582301c-6f98-4d0e-b34e-6ae0de06ddcf", "created_at": "2026-04-06T00:13:17.603984Z", "updated_at": "2026-04-10T13:12:29.32887Z", "deleted_at": null, "sha1_hash": "cb1f0d36adb7383dae1d25359fb572e5f6005761", "title": "Cryptomining Malware Appears Across the Web | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1081671, "plain_text": "Cryptomining Malware Appears Across the Web | Proofpoint US\r\nBy November 29, 2017 Proofpoint Staff\r\nPublished: 2017-11-29 · Archived: 2026-04-05 15:09:05 UTC\r\nBackground\r\nAlthough the first Bitcoin was mined in 2009, the value of the “cryptocurrency” and new alternatives like Litecoin\r\nand Monero have risen dramatically in recent months. Once primarily the domain of cybercriminals and\r\nunderground operators attracted by anonymous transactions, Bitcoin in particular has become big business, with\r\neven the Chicago Mercantile Exchange recently announcing it would begin trading in Bitcoin futures. While still\r\nvolatile, Bitcoin values alone have risen by 860% since the beginning of 2017 (Figure 1)[1], while Monero prices\r\nare up over 1200% (Figure 2). Predictably, threat actors are following the money and finding ways to target these\r\nnew currencies and their users.\r\nFigure 1: Bitcoin price trend, 2017 YTD, courtesy of cryptocurrencychart.com\r\nhttps://www.proofpoint.com/us/threat-insight/post/dialing-dollars-coinminers-appearing-malware-components-standalone-threats\r\nPage 1 of 8\n\nFigure 2: Ethereum, Litecoin, and Monero price trends, 2017 YTD, courtesy of cryptocurrencychart.com\r\nCryptocurrencies are created through a process called mining. At the simplest level, mining involves solving math\r\nproblems of increasing complexity to unlock new units of currency. The increasing complexity creates scarcity, as\r\ndo preset caps on the number of units that can ultimately be mined. This complexity has made it nearly impossible\r\nto mine Bitcoins outside of supercomputing environments, but alternatives like Litecoin and Monero can still be\r\neffectively mined with desktop CPU resources. Miners invest CPU cycles and energy for the potential rewards:\r\nfree currency units.\r\nMonero is one of the few valuable cryptocurrencies that can be mined with CPU power, making it the\r\ncryptocurrency of choice for many legitimate and crypto mining malware. Cryptocurrencies traditionally are\r\nmined with CPU power first, then GPU power once developers learn to increase mining speed with GPU-driven\r\ncalculations. Once cryptocurrencies can only be mined efficiently with GPUs or, for even more compute-intensive\r\nmining, field programmable gate arrays (FPGAs) -- specialized hardware and chips purpose-built for a single\r\nfunction -- they are no longer reasonable candidates for mining with coinmining bots or browser-hijacking scripts.\r\nAt this point, cybercriminals will likely move on to other currencies. For now, Monero uses the CryptoNight\r\nalgorithm, which currently appears to be fastest on a CPU, but regardless of the cryptocurrency mined there is\r\noften a significant investment in hardware and energy.\r\nCriminals are turning to cryptocurrency mining malware, or coinminers, to short circuit this investment, instead\r\nstealing energy and CPU cycles from their victims and using them to mine. At the same time, legitimate and\r\ncriminal enterprises alike are exploring browser-hijacking software to mine cryptocurrencies while web surfers\r\nvisit their websites or sites they have compromised for this purpose.\r\nWhile mining can potentially provide those willing to invest the time and resources -- or to exploit victims with\r\ncrypto mining malware --  with free cryptocurrency, most users simply buy and exchange cryptocurrencies. Some\r\nare looking to cash in on the rapidly rising prices, investing in the new currencies, storing them in wallets and\r\nutilizing specialized exchanges. Many economists are pointing to a likely bubble, particularly in Bitcoin values,\r\nbut interest remains quite high among businesses and consumers.\r\nhttps://www.proofpoint.com/us/threat-insight/post/dialing-dollars-coinminers-appearing-malware-components-standalone-threats\r\nPage 2 of 8\n\nBoth cryptocurrency wallets and exchanges have been targeted by cybercriminals with phishing schemes and\r\nbackdoored software. Even the relatively new category known as initial coin offerings (ICOs) have been targeted.\r\nICOs have become an increasingly popular means for businesses to generate funds and rally investors, offering\r\ninvestors cryptocurrency units or tokens in exchange for potential future value. This increases the number of\r\ncryptocurrencies in circulation and potentially short-circuits regulatory requirements around securities offerings.\r\nThough not necessarily illegitimate in and of themselves, ICOs have been the targets of phishing attacks, Ponzi\r\nschemes, and other types of fraud. In spite of these concerns, ICOs raised $2.2 billion through September 2017 for\r\ncompanies turning to them for financing.\r\nAll of this has increased the attack surface, opportunities, and incentives for threat actors to move quickly to\r\ncapitalize on widespread interest and rising prices.\r\nFollowing the money\r\nAll of these elements point to a larger trend: as threat actors look for ways to directly monetize malware and\r\ninfected machines, evidence that coinminers are a more than just the latest security fad continues to mount. While\r\nmany people first learned about Bitcoin as the payment method to decrypt computers infected with ransomware,\r\nthreat actors are once again following the money and cashing in on their newfound popularity. They are running\r\nphishing schemes, deploying malware crypto mining malware, deploying browser-based miners, and creating\r\nfraudulent wallets and other related software to victimize users.\r\nProofpoint research suggests that the number of new malware strains related to cryptocurrency, whether designed\r\nfor direct theft of wallet credentials or using system resource abuse to mine for such currency, now exceeds the\r\nnumber of one-off, “script kiddie” ransomware strains that had been appearing on a daily basis in 2016 and early\r\n2017. This appears to be a major trend among threat actors and we expect it to continue as: 1) cryptocurrencies\r\nincrease in value; and 2) popular Bitcoin alternatives like Litecoin and Monero remain mineable with desktop PC\r\nresources.\r\nDedicated crypto mining malware\r\nAs noted above, malware designed specifically to mine cryptocurrencies is now appearing more frequently than\r\nnew ransomware variants. While many of these are more amateur in nature or their developers lack the\r\ninfrastructure for large-scale distribution, we have already observed coinminers in a number of very large\r\ncampaigns. In May, we identified the Adylkuzz Monero miner being spread in massive network-based attacks. In\r\nother campaigns, we have seen established actors traditionally focused on banking Trojans begin to distribute\r\ncoinminers, either as a rotating or secondary payload or as a new primary payload.\r\nOne such recent campaign involved an actor we track as TA516. This actor typically distributes instances of the\r\nSmokeLoader intermediate downloader, which, in turn, downloads additional malware of the actor’s choice --\r\noften banking Trojans. Figure 3 shows a lure document from a November campaign in which TA516 distributed\r\nfake resumes with malicious macros that, if enabled, launch a PowerShell script that downloads SmokeLoader. In\r\nthis instance, we observed SmokeLoader downloading a Monero coinminer. Since the middle of 2017, TA516 has\r\nused similar macro-laden documents as well as malicious JavaScript hosted on Google Drive to distribute both\r\nPanda Banker and a coinminer executable via SmokeLoader, often in the same campaigns.\r\nhttps://www.proofpoint.com/us/threat-insight/post/dialing-dollars-coinminers-appearing-malware-components-standalone-threats\r\nPage 3 of 8\n\nFigure 3: Fake resume lure document distributed in email by TA516\r\nDedicated coinminers present certain advantages for threat actors: continuous mining while machines are on,\r\npersistence mechanisms, and the ability to distribute the malware to large numbers of potential victims through\r\nemail and web-based campaigns, as well as available strains for both mobile and desktop computing platforms\r\nmake coinminers attractive to financially motivated actors. However, their impact on performance can make them\r\nreadily detectable by end users and many desktop and gateway security products can detect and mitigate the\r\nbinaries. For smaller actors, distributing at sufficient scale to mine effectively can also be problematic.\r\nCoinmining modules\r\nOne way threat actors are addressing the distribution issue is to incorporate coinmining modules in existing\r\nmalware. In particular, we have observed mainstream malware like The Trick banking Trojan add coinmining\r\ncapabilities. While we initially observed coinmining in The Trick campaigns from less prominent actors, The\r\nTrick’s affiliate model means that we will likely be seeing this at scale from actors like TA505 soon.\r\nAbaddonPOS, a popular point-of-sale malware, has recently incorporated the ability to steal cryptocurrency wallet\r\ncredentials as well. SmokeLoader, in addition to being used to download standalone coinminers, is available on\r\nunderground markets with a built-in coinminer module for an additional fee.\r\nBrowser-based minings\r\nhttps://www.proofpoint.com/us/threat-insight/post/dialing-dollars-coinminers-appearing-malware-components-standalone-threats\r\nPage 4 of 8\n\nThe Pirate Bay made headlines recently for attempting to pay for their operations by mining coins through users’\r\nbrowsers with Coinhive. Coinhive is a JavaScript application that can be placed on websites, using visitors’ CPUs\r\nwhile they are on a particular page. Some sites are exploring this as an alternative to ads and paywalls, but many\r\ndo not allow surfers to opt out. The Ultimate Fighting Championship recently implemented Coinhive on their pay-per-view streaming site, but faced a backlash for not informing users [16].\r\nIn other cases, Coinhive and other scripts like it are placed on compromised websites without the owners’\r\nknowledge. The practice appears to be driving increases in pirated content on illegal streaming sites - sticky sites\r\nwhere users spend a long time on a single page watching videos while unknowingly having CPU cycles hijacked\r\nto mine cryptocurrency.\r\nPhishing and theft\r\nCryptocurrencies are generally stored in digital wallets while exchanges are used to trade cryptocurrencies for\r\ncommon currencies. Simply relying on the human factor and engaging in the types of phishing and direct theft\r\nwith which traditional banking customers have contended for years means that phishing actors can use established\r\npractices and social engineering in the new arena of cryptocurrency.\r\nWe have previously documented increasingly sophisticated phishing schemes targeting cryptocurrency exchanges\r\nand online wallets [5] as well as backdoored wallet software [6]. Figure 4 shows a phishing template used to steal\r\ncredentials for blockchain.com, the largest provider of Bitcoin wallets in the world.\r\nhttps://www.proofpoint.com/us/threat-insight/post/dialing-dollars-coinminers-appearing-malware-components-standalone-threats\r\nPage 5 of 8\n\nFigure 4: Blockchain email lure with stolen branding from May 2017\r\nFigure 5 shows the download screen from a fraudulent domain distributing a backdoored version of wallet\r\nsoftware for Litecoin cryptocurrency. The fake site uses stolen branding and the lookalike domain itecoin[.]com.\r\nhttps://www.proofpoint.com/us/threat-insight/post/dialing-dollars-coinminers-appearing-malware-components-standalone-threats\r\nPage 6 of 8\n\nFigure 5: Backdoored Litecoin wallet downloaded from imposter site itecoin[.]org\r\nConclusion\r\nRising cryptocurrency values, increasingly mainstream use cases, and readily available malicious and browser-based tools for mining new cryptocurrencies are fueling an explosion in coinminer distribution. While we are\r\nseeing a gradual decline in the new one-off, proof-of-concept, and “script kiddie” variants of ransomware,\r\ncoinminers appear to be drawing amateur and seasoned threat actors alike.\r\nTaken in the context of massive coinminer campaigns like we observed with Adylkuzz, paywall trends, etc., it is\r\nclear that both threat actors and legitimate web sites are incorporating this technology quickly before mining\r\nbecomes prohibitively CPU-intensive, as it is with Bitcoin. It appears to be an easy, modular add-on for a variety\r\nof malware and a source of residual -- if not primary -- income for threat actors.\r\nAs a result, consumers and organizations are at risk for a threat that is much more subtle than ransomware, often\r\nrunning undetected until PC performance is dramatically impacted by this new family of malware. These threats\r\nare coming via malicious spam campaigns, browser-based scripts, and more, necessitating the continued use of\r\nintelligent email gateways, endpoint antivirus, and intrusion detection systems that can block associated traffic.\r\n*************\r\nReferences\r\n[1] https://www.cnbc.com/2017/11/01/bitcoin-price-hits-6500-to-new-record-high-after-cme-futures-plan.html\r\n[2] https://www.economist.com/blogs/buttonwood/2017/11/greater-fool-theory-0\r\nhttps://www.proofpoint.com/us/threat-insight/post/dialing-dollars-coinminers-appearing-malware-components-standalone-threats\r\nPage 7 of 8\n\n[3] https://www.bleepingcomputer.com/news/security/underground-hacking-forum-admins-having-second-thoughts-about-selling-ransomware/\r\n[4] https://www.bleepingcomputer.com/news/security/copy-pasting-malware-dev-made-63-000-from-mining-monero-on-iis-servers/\r\n[5] https://www.proofpoint.com/us/threat-insight/post/follow-money-phishing-schemes-go-after-cryptocurrency\r\n[6] https://www.proofpoint.com/us/threat-insight/post/backdoored-litecoin-wallet-spread-typosquatted-domains\r\n[7] https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar\r\n[8] https://community.rsa.com/community/products/netwitness/blog/2017/07/20/an-introduction-to-cryptocurrency\r\n[9] https://www.theguardian.com/technology/2017/sep/13/from-silk-road-to-atms-the-history-of-bitcoin\r\n[10] https://www.theregister.co.uk/2017/11/07/ufc_coin_hive/\r\n[11] https://www.reuters.com/article/us-sec-ico/wall-street-regulator-warns-celebrities-individuals-touting-digital-coins-idUSKBN1D1652\r\n[12] http://money.cnn.com/2017/11/27/investing/bitcoin-price-new-high/\r\n[13] https://www.arbornetworks.com/blog/asert/snatchloader-reloaded/\r\n[14] https://seekingalpha.com/article/4127707-just-sold-half-bitcoin\r\n[15] https://motherboard.vice.com/en_us/article/ne7nvm/is-the-pirate-bays-in-browser-cryptocurrency-mining-better-than-its-crappy-ads\r\n[16] https://www.theregister.co.uk/2017/11/07/ufc_coin_hive/\r\nSource: https://www.proofpoint.com/us/threat-insight/post/dialing-dollars-coinminers-appearing-malware-components-standalone-threats\r\nhttps://www.proofpoint.com/us/threat-insight/post/dialing-dollars-coinminers-appearing-malware-components-standalone-threats\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.proofpoint.com/us/threat-insight/post/dialing-dollars-coinminers-appearing-malware-components-standalone-threats" ], "report_names": [ "dialing-dollars-coinminers-appearing-malware-components-standalone-threats" ], "threat_actors": [ { "id": "9b34a837-9f3f-4451-b8bf-adf424655df5", "created_at": "2023-01-06T13:46:39.310096Z", "updated_at": "2026-04-10T02:00:03.283332Z", "deleted_at": null, "main_name": "TA516", "aliases": [], "source_name": "MISPGALAXY:TA516", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "aeda543e-ce27-41a9-9719-d6e2941b7dbf", "created_at": "2022-10-25T16:07:24.57632Z", "updated_at": "2026-04-10T02:00:05.038892Z", "deleted_at": null, "main_name": "TA516", "aliases": [ "SmokingDro" ], "source_name": "ETDA:TA516", "tools": [ "AZORult", "AndroKINS", "Chthonic", "Dofoil", "PandaBanker", "PuffStealer", "Rultazo", "Sharik", "Smoke Loader", "SmokeLoader", "Zeus Panda", "ZeusPanda" ], "source_id": "ETDA", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434397, "ts_updated_at": 1775826749, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cb1f0d36adb7383dae1d25359fb572e5f6005761.pdf", "text": "https://archive.orkl.eu/cb1f0d36adb7383dae1d25359fb572e5f6005761.txt", "img": "https://archive.orkl.eu/cb1f0d36adb7383dae1d25359fb572e5f6005761.jpg" } }