{
	"id": "f06620e4-b010-4721-9dac-af75ee4ba27f",
	"created_at": "2026-04-06T00:22:10.186882Z",
	"updated_at": "2026-04-10T13:12:56.908433Z",
	"deleted_at": null,
	"sha1_hash": "eaf9013f48bb1bf391210f734549e5c11d59acb8",
	"title": "When coin miners evolve, Part 2: Hunting down LemonDuck and LemonCat attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 286935,
	"plain_text": "When coin miners evolve, Part 2: Hunting down LemonDuck and\r\nLemonCat attacks\r\nBy Microsoft Threat Intelligence\r\nPublished: 2021-07-29 · Archived: 2026-04-05 23:02:11 UTC\r\n[Note: In this two-part blog series, we expose a modern malware infrastructure and provide guidance for\r\nprotecting against the wide range of threats it enables. Part 1 covered the evolution of the threat, how it spreads,\r\nand how it impacts organizations. Part 2 provides a deep dive on the attacker behavior and outlines investigation\r\nguidance.]\r\nLemonDuck is an actively updated and robust malware primarily known for its botnet and cryptocurrency mining\r\nobjectives. As we discussed in Part 1 of this blog series, in recent months LemonDuck adopted more sophisticated\r\nbehavior and escalated its operations. Today, beyond using resources for its traditional bot and mining activities,\r\nLemonDuck steals credentials, removes security controls, spreads via emails, moves laterally, and ultimately\r\ndrops more tools for human-operated activity.\r\nLemonDuck spreads in a variety of ways, but the two main methods are (1) compromises that are either edge-initiated or facilitated by bot implants moving laterally within an organization, or (2) bot-initiated email\r\ncampaigns. After installation, LemonDuck can generally be identified by a predictable series of automated\r\nactivities, followed by beacon check-in and monetization behaviors, and then, in some environments, human-operated actions.\r\nIn this blog post, we share our in-depth technical analysis of the malicious actions that follow a LemonDuck\r\ninfection. These include general and automatic behavior, as well as human-operated actions. We also provide\r\nguidance for investigating LemonDuck attacks, as well as mitigation recommendations for strengthening defenses\r\nagainst these attacks.\r\nhttps://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/\r\nPage 1 of 13\n\nFigure 2. LemonDuck attack chain from the Duck and Cat infrastructures\r\nExternal or human-initialized behavior\r\nLemonDuck activity initiated from external applications – as against self-spreading methods like malicious\r\nphishing mail – is generally much more likely to begin with or lead to human-operated activity. These activities\r\nalways result in more invasive secondary malware being delivered in tandem with persistent access being\r\nmaintained through backdoors. These human-operated activities result in greater impact than standard infections.\r\nIn March and April 2021, various vulnerabilities related to the ProxyLogon set of Microsoft Exchange Server\r\nexploits were utilized by LemonDuck to install web shells and gain access to outdated systems. Attackers then\r\nused this access to launch additional attacks while also deploying automatic LemonDuck components and\r\nmalware.\r\nIn some cases, the LemonDuck attackers used renamed copies of the official Microsoft Exchange On-Premises\r\nMitigation Tool to remediate the vulnerability they had used to gain access. They did so while maintaining full\r\naccess to compromised devices and limiting other actors from abusing the same Exchange vulnerabilities.\r\nThis self-patching behavior is in keeping with the attackers’ general desire to remove competing malware and\r\nrisks from the device. This allows them to limit visibility of the attack to SOC analysts within an organization who\r\nmight be prioritizing unpatched devices for investigation, or who would overlook devices that do not have a high\r\nvolume of malware present.\r\nThe LemonDuck operators also make use of many fileless malware techniques, which can make remediation more\r\ndifficult. Fileless techniques, which include persistence via registry, scheduled tasks, WMI, and startup folder,\r\nremove the need for stable malware presence in the filesystem. These techniques also include utilizing process\r\ninjection and in-memory execution, which can make removal non-trivial. It is therefore imperative that\r\norganizations that were vulnerable in the past also direct action to investigate exactly how patching occurred, and\r\nwhether malicious activity persists.\r\nhttps://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/\r\nPage 2 of 13\n\nOn the basic side of implementation this can mean registry, scheduled task, WMI and startup folder persistence to\r\nremove the necessity for stable malware presence in the filesystem. However, many free or easily\r\navailable RATs and Trojans are now routinely utilizing process injection and in-memory execution to circumvent\r\neasy removal. To rival these kinds of behaviors it’s imperative that security teams within organizations review\r\ntheir incident response and malware removal processes to include all common areas and arenas of the operating\r\nsystem where malware may continue to reside after cleanup by an antivirus solution.\r\nGeneral, automatic behavior\r\nIf the initial execution begins automatically or from self-spreading methods, it typically originates from a file\r\ncalled Readme.js. This behavior could change over time, as the purpose of this .js file is to obfuscate and launch\r\nthe PowerShell script that pulls additional scripts from the C2. This JavaScript launches a CMD process that\r\nsubsequently launches Notepad as well as the PowerShell script contained within the JavaScript.\r\nIn contrast, if infection begins with RDP brute force, Exchange vulnerabilities, or other vulnerable edge systems,\r\nthe first few actions are typically human-operated or originate from a hijacked process rather than from Readme.js.\r\nAfter this, the next few actions that the attackers take, including the scheduled task creation,  as well as the\r\nindividual components and scripts are generally the same.\r\nOne of these actions is to establish fileless persistence by creating scheduled tasks that re-run the initial\r\nPowerShell download script. This script pulls its various components from the C2s at regular intervals. The script\r\nthen checks to see if any portions of the malware were removed and re-enables them. LemonDuck also maintains\r\na backup persistence mechanism through WMI Event Consumers to perform the same actions.\r\nTo host their scripts, the attackers use multiple hosting sites, which as mentioned are resilient to takedown. They\r\nalso have multiple scheduled tasks to try each site, as well as the WMI events in case other methods fail. If all of\r\nthose fail, LemonDuck also uses its access methods such as RDP, Exchange web shells, Screen Connect, and\r\nRATs to maintain persistent access. These task names can vary over time, but “blackball”, “blutea”, and “rtsa”\r\nhave been persistent throughout 2020 and 2021 and are still seen in new infections as of this report.\r\nLemonDuck attempts to automatically disable Microsoft Defender for Endpoint real-time monitoring and adds\r\nwhole disk drives –  specifically the C:\\ drive – to the Microsoft Defender exclusion list. This action could in\r\neffect disable Microsoft Defender for Endpoint, freeing the attacker to perform other actions. Tamper protection\r\nprevents these actions, but it’s important for organizations to monitor this behavior in cases where individual users\r\nset their own exclusion policy.\r\nLemonDuck then attempts to automatically remove a series of other security products through CMD.exe,\r\nleveraging WMIC.exe. The products that we have observed LemonDuck remove include ESET, Kaspersky, Avast,\r\nNorton Security, and MalwareBytes. However, they also attempt to uninstall any product with “Security” and\r\n“AntiVirus” in the name by running the following commands:\r\nhttps://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/\r\nPage 3 of 13\n\nCustom detections in Microsoft Defender for Endpoint or other security solutions can raise alerts on behaviors\r\nindicating interactions with security products that are not deployed in the environment. These alerts can allow the\r\nquick isolation of devices where this behavior is observed. While this uninstallation behavior is common in other\r\nmalware, when observed in conjunction with other LemonDuck TTPs, this behavior can help validate LemonDuck\r\ninfections.\r\nLemonDuck leverages a wide range of free and open-source penetration testing tools. It also uses freely available\r\nexploits and functionality such as coin mining. Because of this, the order and the number of times the next few\r\nactivities are run can change. The attackers can also change the threat’s presence slightly depending on the\r\nversion, the method of infection, and timeframe. Many .exe and .bin files are downloaded from C2s via encoded\r\nPowerShell commands. These domains use a variety names such as the following:\r\nackng[.]com\r\nbb3u9[.]com\r\nttr3p[.]com\r\nzz3r0[.]com\r\nsqlnetcat[.]com\r\nnetcatkit[.]com\r\nhwqloan[.]com\r\n75[.]ag\r\njs88[.]ag\r\nqq8[.]ag\r\nIn addition to directly calling the C2s for downloads through scheduled tasks and PowerShell, LemonDuck\r\nexhibits another unique behavior: the IP addresses of a smaller subset of C2s are calculated and paired with a\r\npreviously randomly generated and non-real domain name. This information is then added into the Windows\r\nHosts file to avoid detection by static signatures. In instances where this method is seen, there is a routine to\r\nupdate this once every 24 hours. An example of this is below:\r\nLemonDuck is known to use custom executables and scripts. It also renames and packages well-known tools such\r\nas XMRig and Mimikatz. Of these, the three most common are the following, though other packages and binaries\r\nhttps://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/\r\nPage 4 of 13\n\nhave been seen as well, including many with .ori file extensions:\r\nIF.BIN (used for lateral movement and privilege escalation)\r\nKR.BIN (used for competition removal and host patching)\r\nM[0-9]{1}[A-Z]{1}.BIN, M6.BIN, M6.BIN.EXE, or M6G.Bin (used for mining)\r\nExecutables used throughout the infection also use random file names sourced from the initiating script, which\r\nselects random characters, as evident in the following code:\r\nLateral movement and privilege escalation\r\nIF.Bin, whose name stands for “Infection”, is the most common name used for the infection script during the\r\ndownload process. LemonDuck uses this script at installation and then repeatedly thereafter to attempt to scan for\r\nports and perform network reconnaissance. It then attempts to log onto adjacent devices to push the initial\r\nLemonDuck execution scripts.\r\nIF.Bin attempts to move laterally via any additional attached drives. When drives are identified, they are checked\r\nto ensure that they aren’t already infected. If they aren’t, a copy of Readme.js, as well as subcomponents of IF.Bin,\r\nare downloaded into the drive’s home directory as hidden.\r\nSimilarly, IF.Bin attempts to brute force and use vulnerabilities for SMB, SQL, and other services to move\r\nlaterally. It then immediately contacts the C2 for downloads.\r\nAnother tool dropped and utilized within this lateral movement component is a bundled Mimikatz, within a\r\nmimi.dat file associated with both the “Cat” and “Duck” infrastructures. This tool’s function is to facilitate\r\ncredential theft for additional actions. In conjunction with credential theft, IF.Bin drops additional .BIN files to\r\nattempt common service exploits like CVE-2017-8464 (LNK remote code execution vulnerability) to increase\r\nprivilege.\r\nThe attackers regularly update the internal infection components that the malware scans for. They then attempt\r\nbrute force or spray attacks, as well as exploits against available SSH, MSSQL, SMB, Exchange, RDP, REDIS\r\nand Hadoop YARN for Linux and Windows systems. A sample of ports that recent LemonDuck infections were\r\nobserved querying include 70001, 8088, 16379, 6379, 22, 445, and 1433.\r\nOther functions built in and updated in this lateral movement component include mail self-spreading. This\r\nspreading functionality evaluates whether a compromised device has Outlook. If so, it accesses the mailbox and\r\nscans for all available contacts. It sends the initiating infecting file as part of a .zip, .js, or .doc/.rtf file with a static\r\nset of subjects and bodies. The mail metadata count of contacts is also sent to the attacker, likely to evaluate its\r\neffectiveness, such as in the following command:\r\nhttps://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/\r\nPage 5 of 13\n\nCompetition removal and host patching\r\nAt installation and repeatedly afterward, LemonDuck takes great lengths to remove all other botnets, miners, and\r\ncompetitor malware from the device. It does this via KR.Bin, the “Killer” script, which gets its name from its\r\nfunction calls. This script attempts to remove services, network connections, and other evidence from dozens of\r\ncompetitor malware via scheduled tasks. It also closes well-known mining ports and removes popular mining\r\nservices to preserve system resources. The script even removes the mining service it intends to use and simply\r\nreinstalls it afterward with its own configuration.\r\nThis “Killer” script is likely a continuation of older scripts that were used by other botnets such as GhostMiner in\r\n2018 and 2019. The older variants of the script were quite small in comparison, but they have since grown, with\r\nadditional services added in 2020 and 2021. Presently, LemonDuck seems consistent in naming its variant KR.Bin.\r\nThis process spares the scheduled tasks created by LemonDuck itself, including various PowerShell scripts as well\r\nas a task called “blackball”, “blutea”, or “rtsa”, which has been in use by all LemonDuck’s infrastructures for the\r\nlast year along with other task names.\r\nThe attackers were also observed manually re-entering an environment, especially in instances where edge\r\nvulnerabilities were used as an initial entry vector. The attackers also patch the vulnerability they used to enter the\r\nnetwork to prevent other attackers from gaining entry. As mentioned, the attackers were seen using a copy of a\r\nMicrosoft-provided mitigation tool for Exchange ProxyLogon vulnerability, which they hosted on their\r\ninfrastructure, to ensure other attackers don’t gain web shell access the way they had. If unmonitored, this scenario\r\ncould potentially lead to a situation where, if a system does not appear to be in an unpatched state, suspicious\r\nactivity that occurred before patching could be ignored or thought to be unrelated to the vulnerability.\r\nWeaponization and continued impact\r\nA miner implant is downloaded as part of the monetization mechanism of LemonDuck. The implant used is\r\nusually XMRig, which is a favorite of GhostMiner malware, the Phorpiex botnet, and other malware operators.\r\nThe file uses any of the following names:\r\nM6.bin\r\nM6.bin.ori\r\nM6G.bin\r\nM6.bin.exe\r\n\u003cFile name that follows the regex pattern M[0-9]{1}[A-Z]{1}\u003e.BIN.\r\nOnce the automated behaviors are complete, the threat goes into a consistent check-in behavior, simply mining\r\nand reporting out to the C2 infrastructure and mining pools as needed with encoded PowerShell commands such\r\nas those below (decoded):\r\nhttps://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/\r\nPage 6 of 13\n\nOther systems that are affected bring in secondary payloads such as Ramnit, which is a very popular Trojan that\r\nhas been seen being dropped by other malware in the past. Additional backdoors, other malware implants, and\r\nactivities continuing long after initial infection, demonstrating that even a “simple” infection by a coin mining\r\nmalware like LemonDuck can persist and bring in more dangerous threats to the enterprise.\r\nComprehensive protection against a wide-ranging malware operation\r\nThe cross-domain visibility and coordinated defense delivered by Microsoft 365 Defender is designed for the wide\r\nrange and increasing sophistication of threats that LemonDuck exemplifies. Below we list mitigation actions,\r\ndetection information, and advanced hunting queries that Microsoft 365 Defender customers can use to harden\r\nnetworks against threats from LemonDuck and other malware operations.\r\nMitigations\r\nApply these mitigations to reduce the impact of LemonDuck. Check the recommendations card for the\r\ndeployment status of monitored mitigations.\r\nPrevent threats from arriving via removable storage devices by blocking these devices on sensitive\r\nendpoints. If you allow removable storage devices, you can minimize the risk by turning off autorun,\r\nenabling real-time antivirus protection, and blocking untrusted content. Learn about stopping threats from\r\nUSB devices and other removable media.\r\nEnsure that Linux and Windows devices are included in routine patching, and validate protection against\r\nthe CVE-2019-0708, CVE-2017-0144, CVE-2017-8464, CVE-2020-0796, CVE-2021-26855, CVE-2021-\r\n26858, and CVE-2021-27065 vulnerabilities, as well as against brute-force attacks in popular services like\r\nSMB, SSH, RDP, SQL, and others.\r\nTurn on PUA protection. Potentially unwanted applications (PUA) can negatively impact machine\r\nperformance and employee productivity. In enterprise environments, PUA protection can stop adware,\r\ntorrent downloaders, and coin miners.\r\nTurn on tamper protection featuresto prevent attackers from stopping security services.\r\nTurn on cloud-delivered protectionand automatic sample submission on Microsoft Defender Antivirus.\r\nThese capabilities use artificial intelligence and machine learning to quickly identify and stop new and\r\nunknown threats.\r\nEncourage users to use Microsoft Edge and other web browsers that support SmartScreen, which identifies\r\nand blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host\r\nmalware. Turn on network protectionto block connections to malicious domains and IP addresses.\r\nhttps://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/\r\nPage 7 of 13\n\nCheck your Office 365 antispam policyand your mail flow rules for allowed senders, domains and IP\r\naddresses. Apply extra caution when using these settings to bypass antispam filters, even if the allowed\r\nsender addresses are associated with trusted organizations—Office 365 will honor these settings and can let\r\npotentially harmful messages pass through. Review system overrides in threat explorer to determine why\r\nattack messages have reached recipient mailboxes.\r\nAttack surface reduction\r\nTurn on the following attack surface reduction rules, to block or audit activity associated with this threat:\r\nBlock executable content from email client and webmail\r\nBlock JavaScript or VBScript from launching downloaded executable content\r\nBlock Office applications from creating executable content\r\nBlock all office applications from creating child processes\r\nBlock executable files from running unless they meet a prevalence, age, or trusted list criterion\r\nBlock execution of potentially obfuscated scripts\r\nBlock persistence through WMI event subscription\r\nBlock process creations originating from PSExec and WMI commands\r\nAntivirus detections\r\nMicrosoft Defender Antivirus detects threat components as the following malware:\r\nTrojanDownloader:PowerShell/LemonDuck!MSR\r\nTrojanDownloader:Linux/LemonDuck.G!MSR\r\nTrojan:Win32/LemonDuck.A\r\nTrojan:PowerShell/LemonDuck.A\r\nTrojan:PowerShell/LemonDuck.B\r\nTrojan:PowerShell/LemonDuck.C\r\nTrojan:PowerShell/LemonDuck.D\r\nTrojan:PowerShell/LemonDuck.E\r\nTrojan:PowerShell/LemonDuck.F\r\nTrojan:PowerShell/LemonDuck.G\r\nTrojanDownloader:PowerShell/LodPey.A\r\nTrojanDownloader:PowerShell/LodPey.B\r\nTrojan:PowerShell/Amynex.A\r\nTrojan:Win32/Amynex.A\r\nEndpoint detection and response (EDR) alerts\r\nAlerts with the following titles in the security center can indicate threat activity on your network:\r\nLemonDuck botnet C2 domain activity\r\nLemonDuck malware\r\nhttps://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/\r\nPage 8 of 13\n\nThe following alerts might also indicate threat activity associated with this threat. These alerts, however, can be\r\ntriggered by unrelated threat activity and are not monitored in the status cards provided with this report.\r\nSuspicious PowerShell command line\r\nSuspicious remote activity\r\nSuspicious service registration\r\nSuspicious Security Software Discovery\r\nSuspicious System Network Configuration Discovery\r\nSuspicious sequence of exploration activities\r\nSuspicious Process Discovery\r\nSuspicious System Owner/User Discovery\r\nSuspicious System Network Connections Discovery\r\nSuspicious Task Scheduler activity\r\nSuspicious Microsoft Defender Antivirus exclusion\r\nSuspicious behavior by cmd.exe was observed\r\nSuspicious remote PowerShell execution\r\nSuspicious behavior by svchost.exe was observed\r\nA WMI event filter was bound to a suspicious event consumer\r\nAttempt to hide use of dual-purpose tool\r\nSystem executable renamed and launched\r\nMicrosoft Defender Antivirus protection turned off\r\nAnomaly detected in ASEP registry\r\nA script with suspicious content was observed\r\nAn obfuscated command line sequence was identified\r\nA process was injected with potentially malicious code\r\nA malicious PowerShell Cmdlet was invoked on the machine\r\nSuspected credential theft activity\r\nOutbound connection to non-standard port\r\nSensitive credential memory read\r\nAdvanced hunting\r\nThe LemonDuck botnet is highly varied in its payloads and delivery methods after email distribution so can\r\nsometimes evade alerts. You can use the advanced hunting capability in Microsoft 365 Defender and Microsoft\r\nDefender for Endpoint to surface activities associated with this threat.\r\nNOTE: The following sample queries lets you search for a week’s worth of events. To explore up to 30 days\r\nworth of raw data to inspect events in your network and locate potential Lemon Duck-related indicators for more\r\nthan a week, go to the Advanced Hunting page \u003e Query tab, select the calendar drop-down menu to update your\r\nquery to hunt for the Last 30 days.\r\nLemonDuck template subject lines\r\nhttps://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/\r\nPage 9 of 13\n\nLooks for subject lines that are present from 2020 to 2021 in dropped scripts that attach malicious LemonDuck\r\nsamples to emails and mail it to contacts of the mailboxes on impacted machines. Additionally, checks if\r\nAttachments are present in the mailbox. General attachment types to check for at present are .DOC, .ZIP or .JS,\r\nthough this could be subject to change as well as the subjects themselves. Run query in Microsoft 365 security\r\ncenter.\r\nEmailEvents\r\n| where Subject in ('The Truth of COVID-19','COVID-19 nCov Special info WHO','HALTH ADVISORY:CORONA\r\nVIRUS',\r\n'WTF','What the fcuk','good bye','farewell letter','broken file','This is your order?')\r\n| where AttachmentCount \u003e= 1\r\nLemonDuck Botnet Registration Functions\r\nLooks for instances of function runs with name “SIEX”, which within the Lemon Duck initializing scripts is used\r\nto assign a specific user-agent for reporting back to command-and-control infrastructure with. This query should\r\nbe accompanied by additional surrounding logs showing successful downloads from component sites. Run query\r\nin Microsfot 365 security center.\r\nDeviceEvents\r\n| where ActionType == \"PowerShellCommand\"\r\n| where AdditionalFields =~ \"{\\\"Command\\\":\\\"SIEX\\\"}\"\r\nLemonDuck keyword identification\r\nLooks for simple usage of LemonDuck seen keyword variations initiated by PowerShell processes. All results\r\nshould reflect Lemon_Duck behavior, however there are existing variants of Lemon_Duck that might not use this\r\nterm explicitly, so validate with additional hunting queries based on known TTPs. Run query in Microsoft 365\r\nsecurity center.\r\nDeviceProcessEvents\r\n| where InitiatingProcessFileName == \"powershell.exe\"\r\n| where InitiatingProcessCommandLine has_any(\"Lemon_Duck\",\"LemonDuck\")\r\nLemonDuck Microsoft Defender tampering\r\nLooks for a command line event where LemonDuck or other like malware might attempt to modify Defender by\r\ndisabling real-time monitoring functionality or adding entire drive letters to the exclusion criteria. The exclusion\r\nadditions will often succeed even if tamper protection is enabled due to the design of the application. Custom\r\nalerts could be created in an environment for particular drive letters common in the environment. Run query in\r\nMicrosoft 365 security center.\r\nhttps://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/\r\nPage 10 of 13\n\nDeviceProcessEvents\r\n| where InitiatingProcessCommandLine has_all (\"Set-MpPreference\", \"DisableRealtimeMonitoring\", \"Add-MpPreference\", \"ExclusionProcess\")\r\n| project ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp\r\nAntivirus uninstallation attempts\r\nLooks for a command line event where LemonDuck or other similar malware might attempt to modify Defender\r\nby disabling real-time monitoring functionality or adding entire drive letters to the exclusion criteria. The\r\nexclusion additions will often succeed even if tamper protection is enabled due to the design of the application.\r\nCustom alerts could be created in an environment for particular drive letters common in the environment. Run\r\nquery in Microsoft 365 security center.\r\nDeviceProcessEvents\r\n| where InitiatingProcessFileName =~ \"wmic.exe\"\r\n| where InitiatingProcessCommandLine has_all(\"product where\",\"name like\",\"call\r\nuninstall\",\"/nointeractive\")\r\n| where InitiatingProcessCommandLine\r\nhas_any(\"Kaspersky\",\"avast\",\"avp\",\"security\",\"eset\",\"AntiVirus\",\"Norton Security\")\r\nKnown LemonDuck component script installations\r\nLooks for instances of the callback actions which attempt to obfuscate detection while downloading supporting\r\nscripts such as those that enable the “Killer” and “Infection” functions for the malware as well as the mining\r\ncomponents and potential secondary functions. Options for more specific instances included to account for\r\nenvironments with potential false positives. Most general versions are intended to account for minor script or\r\ncomponent changes such as changing to utilize non .bin files, and non-common components. Run query in\r\nMicrosoft 365 security center.\r\nDeviceProcessEvents\r\n| where InitiatingProcessFileName in (\"powershell.exe\",\"cmd.exe\")\r\n| where InitiatingProcessCommandLine has_all(\"/c echo\r\ntry\",\"down_url=\",\"md5\",\"downloaddata\",\"ComputeHash\") or\r\nInitiatingProcessCommandLine has_all(\"/c echo\r\ntry\",\"down_url=\",\"md5\",\"downloaddata\",\"ComputeHash\",\".bin\") or\r\nInitiatingProcessCommandLine has_all(\"/c echo\r\ntry\",\"down_url=\",\"md5\",\"downloaddata\",\"ComputeHash\",\"kr.bin\",\"if.bin\",\"m6.bin\")\r\nLemonDuck named scheduled creation\r\nhttps://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/\r\nPage 11 of 13\n\nLooks for instances of the LemonDuck creates statically named scheduled tasks or a semi-unique pattern of task\r\ncreation LemonDuck also utilizes launching hidden PowerShell processes in conjunction with randomly generated\r\ntask names. An example of a randomly generated one is: “schtasks.exe” /create /ru system /sc MINUTE /mo 60 /tn\r\nfs5yDs9ArkV\\2IVLzNXfZV/F /tr “powershell -w hidden -c PS_CMD”.  Run query in Microsoft 365 security\r\ncenter.\r\nDeviceProcessEvents\r\n| where FileName =~ \"schtasks.exe\"\r\n| where ProcessCommandLine has(\"/create\")\r\n| where ProcessCommandLine has_any(\"/tn blackball\",\"/tn blutea\",\"/tn rtsa\") or\r\nProcessCommandLine has_all(\"/create\",\"/ru\",\"system\",\"/sc\",\"/mo\",\"/tn\",\"/F\",\"/tr\",\"powershell -w\r\nhidden -c PS_CMD\")\r\nCompetition killer script scheduled task execution\r\nLooks for instances of the LemonDuck component KR.Bin, which is intended to kill competition prior to making\r\nthe installation and persistence of the malware concrete. The killer script used is based off historical versions from\r\n2018 and earlier, which has grown over time to include scheduled task and service names of various botnets,\r\nmalware, and other competing services. The version currently in use by LemonDuck has approximately 40-60\r\nscheduled task names. The upper maximum in this query can be modified and adjusted to include time bounding.\r\nRun query in Microsoft 365 security center.\r\nDeviceProcessEvents\r\n| where ProcessCommandLine has_all(\"schtasks.exe\",\"/Delete\",\"/TN\",\"/F\")\r\n| summarize make_set(ProcessCommandLine) by DeviceId\r\n| extend DeleteVolume = array_length(set_ProcessCommandLine)\r\n| where set_ProcessCommandLine has_any(\"Mysa\",\"Sorry\",\"Oracle Java Update\",\"ok\") where DeleteVolume\r\n\u003e= 40 and DeleteVolume \u003c= 80\r\nLemonDuck hosts file adjustment for dynamic C2 downloads\r\nLooks for a PowerShell event wherein LemonDuck will attempt to simultaneously retrieve the IP address of a C2\r\nand modify the hosts file with the retrieved address. The address is then attributed to a name that does not exist\r\nand is randomly generated. The script then instructs the machine to download data from the address. This query\r\nhas a more general and more specific version, allowing the detection of this technique if other activity groups\r\nwere to utilize it. Run query in Microsoft 365 security center.\r\nDeviceProcessEvents\r\n| where InitiatingProcessFileName == \"powershell.exe\"\r\nhttps://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/\r\nPage 12 of 13\n\n| where InitiatingProcessCommandLine has_all(\"GetHostAddresses\",\"etc\",\"hosts\")\r\nor InitiatingProcessCommandLine\r\nhas_all(\"GetHostAddresses\",\"IPAddressToString\",\"etc\",\"hosts\",\"DownloadData\")\r\nLearn how your organization can stop attacks through automated, cross-domain security and built-in AI with\r\nMicrosoft Defender 365.\r\nSource: https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attack\r\ns/\r\nhttps://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.microsoft.com/security/blog/2021/07/29/when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks/"
	],
	"report_names": [
		"when-coin-miners-evolve-part-2-hunting-down-lemonduck-and-lemoncat-attacks"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434930,
	"ts_updated_at": 1775826776,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/eaf9013f48bb1bf391210f734549e5c11d59acb8.pdf",
		"text": "https://archive.orkl.eu/eaf9013f48bb1bf391210f734549e5c11d59acb8.txt",
		"img": "https://archive.orkl.eu/eaf9013f48bb1bf391210f734549e5c11d59acb8.jpg"
	}
}