{
	"id": "684ce845-0349-4819-8843-a9553a4f1408",
	"created_at": "2026-04-06T00:14:50.485453Z",
	"updated_at": "2026-04-10T03:21:46.02264Z",
	"deleted_at": null,
	"sha1_hash": "d8883a937f5b0dcac012382bce6938016b63490d",
	"title": "XMRig Miner Malware Analysis 2026: Understanding Threats",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 352620,
	"plain_text": "XMRig Miner Malware Analysis 2026: Understanding Threats\r\nBy Gridinsoft LLC\r\nArchived: 2026-04-05 16:57:00 UTC\r\nXMRig Miner Malware\r\nEverything is poison, and everything is medicine. XMR mining tool, that was originally designed to make mining\r\nmore convenient and easy-to-deploy, became an ever-loved tool of cybercriminals that chase crypto profits. It is\r\nnow known as XMRig – tremendously widespread miner trojan.\r\nThe XMRig trojan is a miner malware – one that parasites on its victim’s hardware to mine cryptocurrencies,\r\nparticularly Monero (XMR). Being based on a legitimate open-source crypto mining application, it employs anti-analysis and detection evasion techniques that can render legacy anti-malware software significantly less effective.\r\nNonetheless, the visible effect of XMRig activity – an overloaded processor – is hard to confuse with that of any\r\nother malware. As it targets any kind of system, the unfortunate opportunity to witness your computer being\r\nrendered nearly useless can occur both at work and at home.\r\nAnother notable detail XMRig can boast of is the wide variety of delivery methods it exploits, and its association\r\nwith numerous other malware types, including ransomware and spyware. Such associations have influenced the\r\nmalware in a way that some of its samples can perform spyware-like actions – which is particularly concerning\r\ngiven its long-term activity. Since the basis for this miner is an open-source tool, XMRig likely has the largest\r\nnumber of variants – other malicious miners that, however, feature some alterations in their codebase.\r\nRead also: Almoristics Application: What It Is \u0026 How to Remove Virus Miner\r\nWhy Do Hackers Choose Monero?\r\nCryptocurrencies based on the Proof-of-Work (PoW) protocol utilize computational power to validate transaction\r\nhashes. Each successful validation rewards the operator with a commission fee. Monero is among these currencies\r\nand is engineered for a simplified hash calculation, significantly quicker than those of Bitcoin or Ethereum. This\r\nhttps://gridinsoft.com/xmrig\r\nPage 1 of 6\n\nefficiency drastically shortens transaction times and enables mining on low-power systems while still maintaining\r\nsufficient efficiency to earn commissions. Consequently, this provides an ideal scenario for cybercriminals: to\r\ncreate a botnet that utilizes its CPU power (instead of traditional GPU-based mining farms) for mining\r\ncryptocurrencies – resulting in a steadily growing wallet.\r\nThe darknet infrastructure has fostered another layer of convenience for illicit activities, enabling criminals to\r\nobscure their ill-gotten gains. Cryptomixers conduct transactions not in the traditional wallet-to-wallet manner but\r\nby breaking down the amount into dozens of smaller parts and funneling it through a series of unrelated wallets,\r\nmaking the crypto transfer hard to trace. XMR is particularly suited for this purpose, as its rapid transactions\r\nfacilitate the completion of transfers within just a few hours. Other cryptocurrencies might require days to\r\naccomplish a similar level of obfuscation.\r\nHow Does XMRig Spread?\r\nXMRig miner is operated by numerous cybercriminal groups, each employing their unique method to disseminate\r\nthis malware. As such, there is no single, unified approach to its distribution – making it an even more\r\nformidable threat. To counteract this, one must consider virtually every possible method, a task that can be\r\noverwhelming. Fortunately, certain techniques – typically associated with the most active criminal groups utilizing\r\nXMRig – are encountered more frequently than others.\r\nDropper malware is utilized in attacks against networks of computers that were already compromised. It\r\nproves especially effective for infiltrating corporate networks, which tend to have stronger security\r\nmeasures. Botnets driven by droppers (or backdoors with dropper capabilities) are also common in single-user systems. In specific instances, XMRig has been delivered alongside other malware, such as\r\nransomware and spyware, making it a preferred method for spreading infections to these systems.\r\nCracked and untrustworthy software serves as a façade for a broad spectrum of malware, with XMRig\r\nbeing one example. Software becomes malicious after being cracked, that is, once its license verification\r\nhas been bypassed. Those who crack software often aim for monetization, and deploying malware is one of\r\nthe ways to achieve this. Moreover, using cracked software is illegal, leaving individuals open not only to\r\nmalware risks but also to legal repercussions for copyright infringement.\r\nUntrustworthy software is explicitly designed to carry a malicious payload. Browser plugins, driver\r\nupdaters, and system cleaning tools – all potentially harboring questionable intent. While not all software\r\nin these categories is malicious, those offered as part of a bundle, or through an unexpected ad, are\r\nusually suspect. They might perform their advertised functions but operate malicious activities in the\r\nbackground – akin to a browser plugin harboring a miner.\r\nEmail spam is a widely recognized method for malware dissemination on a broader scale. XMRig is not\r\nexempt – with some variants spread via this method. A noteworthy aspect of such campaigns is the\r\nemployment of the outdated double-extension trick, exploiting default settings in Windows file manager.\r\nFiles named important-document.docx.exe appear as important-document.docx on systems with hidden file\r\nextensions, leading unsuspecting victims to execute what they believe to be a legitimate document.\r\nXMRig Malware Analysis\r\nhttps://gridinsoft.com/xmrig\r\nPage 2 of 6\n\nSimilar to their distribution methods, the XMRig samples are extensively modified by various cybercrime groups\r\nto suit their specific needs. Therefore, we've chosen to focus on some of the common features found in most\r\nXMRig samples circulating in the wild. In general, malicious miners share several tricks that are prevalent across\r\nthis type of malware.\r\nScheme of the XMRig infection chain\r\nUpon reaching the target computer, the malware begins by decrypting itself and establishing persistence. The\r\ndecryption process is standard: the malware unpacker uses a hardcoded key to eliminate RC4 encryption. It then\r\nallocates memory through the VirtualAlloc function, transfers the decrypted data to this memory, and initiates\r\nexecution from there. The static part of the decrypted data is typically stored in the AppData\\Local\\Temp directory,\r\noften under a name mimicking a system process.\r\nThe result of this initial decryption is a PE file containing the actual miner and all necessary components for the\r\nmalware’s operation. It ensures its persistence in the victim's environment by creating tasks in the Task Scheduler\r\nusing a console command. This task is designed to start the mining process immediately after the user logs in.\r\n/c schtasks /create /f /sc onlogon /rl highest /tn \"svchost\" /tr '\"C:\\Users\\RDhJ0CNFevzX\\AppData\\Loca\r\nThe name of the malware file, svchost.exe, is not consistently used and can vary from one case of infection to\r\nanother, ranging from mimicking the names of system processes to simple numerical sequences.\r\nThe execution of XMRig continues with the malware contacting its command and control (C2) server to fetch\r\nconfiguration files. These configurations dictate the mining method and the wallet address to use. It retrieves this\r\ninformation from the C2 server and adjusts the system's network settings accordingly. To achieve this, it employs\r\nnslookup.exe, the default DNS configuration utility in Windows, executing the following command:\r\n--cinit-find-x -B --algo=\"rx/0\" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdms\r\nThis step concludes the preparations, and the malware is now ready for operation. The communication with the\r\nC2 server by XMRig is not particularly remarkable—after initialization and receiving configurations, it\r\nhttps://gridinsoft.com/xmrig\r\nPage 3 of 6\n\noperates based on them unless directed otherwise by the C\u0026C server to change settings or cease operation.\r\nAdditionally, the malware gathers some information about its host system, simply to allow its C\u0026C to distinguish\r\nit from others.\r\nRead also: StaryDobry Malware Hides in Pirated Games, Deploys XMRig\r\nThe Effects of XMRig\r\nUnlike most malware, which corrupts files by locking them or leaking them to a command server, XMRig's\r\nprimary function is to utilize the computational power of an infected PC for cryptocurrency mining. This should\r\nnot be underestimated—such exploitation can severely harm your computer. In contrast to voluntary mining,\r\nwhere loads can be managed, malicious mining disregards the well-being of the host system's hardware.\r\nCybercriminals often configure the CPU load to 80%, which might be sustainable for a robust system.\r\nHowever, laptops or poorly maintained computers might experience throttling; associated components, especially\r\nthose linked to the processor or its heatsink, could also be affected. High temperatures can shorten the lifespan of\r\nany electronic component.\r\nProcesses that overload the CPU can be detected by opening the Task Manager.\r\nSetting aside pessimistic forecasts, an overloaded computer is undesirable. Lesser-powered systems may barely\r\nrespond to user inputs, while more capable computers will remain functional but suffer from degraded\r\nperformance even in basic applications. Fortunately, this behavior is distinct enough not to be mistaken for other\r\nissues, making diagnosis straightforward. Nonetheless, living with this issue is inadvisable, and removing the\r\nmalware should be a priority. However, the system overload complicates immediate use of anti-malware software.\r\nA targeted approach for XMRig removal is necessary, involving booting the system into Safe Mode with\r\nNetworking.\r\nHow to Protect Yourself from XMRig Malware?\r\nhttps://gridinsoft.com/xmrig\r\nPage 4 of 6\n\nDealing with miner malware, as previously mentioned, is challenging. Therefore, being prepared to address the\r\nissue is less effective than preventing the problem altogether. This advice holds true for nearly all types of\r\nmalware. The most proactive steps focus on blocking malware from entering your system in the first place, which\r\nis relatively straightforward given the common propagation methods we've outlined.\r\nAvoid using cracked software and untrustworthy programs. Even though email spam has become a\r\nprevalent method for malware distribution in recent years, cracked software continues to be a popular\r\ninfection vector targeting individual users. A source may seem safe, and you might have used it multiple\r\ntimes without issue, but this doesn't ensure safety. Additionally, using unlicensed software is illegal and\r\nbeing caught can result in substantial fines or imprisonment.\r\nBe wary of untrustworthy programs, often promoted through various means. Tools for system\r\noptimization, keygens, apps for manual software cracking, and browser plugins promising extraordinary\r\nfeatures pose significant risks. Most anti-malware solutions identify such software as potentially unwanted\r\nprograms (PUPs), and disregarding these warnings is ill-advised.\r\nSteer clear of email spam. The sheer volume of emails received daily can make it hard to discern\r\nlegitimate messages from spam. However, there are clear indicators, such as the sender's email address.\r\nFraudulent messages might mimic reputable companies but sending from a dubious email address reveals\r\nthe deceit, regardless of the message content.\r\nLogic inconsistencies in messages are telltale signs of spam. Questionable double notifications from\r\ncourier services or unexpected bills from companies you haven't transacted with are red flags. Rarely do\r\ngenuine companies send such communications in error, so these are likely spam attempts mimicking\r\nroutine correspondence.\r\nRegularly scan your system with high-quality anti-malware software. Malware, whether overt or delivered\r\nvia droppers, can be effectively detected and removed with specialized tools. Manual detection is\r\nchallenging, as these threats tend to be as inconspicuous as possible. GridinSoft Anti-Malware can identify\r\nand eliminate even the most recent malware strains, leaving no room for resurgence. Its advanced scanning\r\nsystem detects malware not just by its files but also by its behavior, ensuring comprehensive protection.\r\nUse Gridinsoft malware remover to scan for miner virus, review suspicious items, and remove confirmed threats\r\non Windows. If this guide matches what you are seeing on your device, start with a practical cleanup scan.\r\nDownload malware remover\r\nXMRig IoC\r\nHashes\r\nSHA256: de5704d6579398a4b51f7458c105759c46096567661a26bffe1159ef11a16eb8\r\nSHA256: ea3eedc043d02375db791cd0d508259dede55a7cffa2f75f813d4e239aa5bf70\r\nSHA256: 3c54646213638e7bd8d0538c28e414824f5eaf31faf19a40eec608179b1074f1\r\nSHA256: 32b617dd0ea32902a18d93fe74b4a8865d23ec398666736ffcb4c4e9dfa9c6ec\r\nSHA256: af421881786af65cf89b28d2a88d37658625f21f9644cf298c438267c7c92572\r\nSHA256: 05e1988f56fe199f7e401c8f4d6ee50bb26ab34fb3f96c22de959c7e5f92de77\r\nhttps://gridinsoft.com/xmrig\r\nPage 5 of 6\n\nSHA256: f63921129822475dd132a116b11312ebbb0cdc8b54f188aabeb7cf7a8c9065fd\r\nSHA256: 95da91e0a3362fcfb23dd10b50dfb28af074ef11759be5cfd48854572773f989\r\nSHA256: 621a9f892436647a492e3877502454d1783dc0cf4e4ba9f3f459a8c2ac7e6d97\r\nSHA256: f34fc824a6c655bd6320b7818acdad9a5a570b88dd46507fdf73cd254af9b19f\r\nMD5: 5906ac14bc45a1f39cb9eb790a1d3b27\r\nMD5: 0252b6575abd58fac21130cd75fc42a0\r\nMD5: 2a0d26b8b02bb2d17994d2a9a38d61db\r\nMD5: 52df19b9845a6da6197831525c7a1f01\r\nMD5: 5807efef92e20ffe074bbdc141cfbdad\r\nMD5: 6a292b8ab3ff79cefe5f8e42882885d2\r\nMD5: 22a9265676ffebc71d888f0c57af9fd1\r\nMD5: 47d02cfb4cdbccccbc35d082f5351dd1\r\nMD5: e5e85cc9c86ad7362efc2255612db5c0\r\nMD5: 96c45411bcda48997ead1d0dd2aff484\r\nIP addresses\r\n145.14.144.136:443 94.130.165.85:443 142.93.172.227:1389\r\n68.183.165.105:80 62.102.148.152:8618 159.89.182.117\r\n51.250.28.5 150.60.139.51:80 51.250.28.5\r\n150.60.139.51 68.183.165.105 79.134.225.39:6969\r\nRead also: AlrustiqApp.exe Virus (Alrustiq Service)\r\nSource: https://gridinsoft.com/xmrig\r\nhttps://gridinsoft.com/xmrig\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://gridinsoft.com/xmrig"
	],
	"report_names": [
		"xmrig"
	],
	"threat_actors": [],
	"ts_created_at": 1775434490,
	"ts_updated_at": 1775791306,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d8883a937f5b0dcac012382bce6938016b63490d.pdf",
		"text": "https://archive.orkl.eu/d8883a937f5b0dcac012382bce6938016b63490d.txt",
		"img": "https://archive.orkl.eu/d8883a937f5b0dcac012382bce6938016b63490d.jpg"
	}
}