ALERTS CRYPTOCURRENCY
HOME APT BOTNET CAMPAIGN CRIME CRYPTOCURRENCY EXPLOIT HACKING GROUP OPERATION PHISHING RANSOM SPAM VIRUS VULNEREBILITY
DATE | NAME |
CATEGORY |
SUBCATE |
INFO |
18.4.25 | Malicious VSCode extensions infecing users with cryptominer | CRYPTOCURRENCY | A set of VSCode extensions posing as legitimate development tools has been observed infecting users with the XMRig cryptominer for Monero in a new cryptojacking campaign. | |
13.3.25 | A new campaign distributing scam crypto investment platforms | CRYPTOCURRENCY | A new campaign spreading fraudulent cryptocurrency investment platforms has been reported by researchers from Palo Alto. The attackers leverage websites and Android mobile apps masqueraded as known brands of retail stores, financial institutions or technology companies to lure their victims. | |
11.02.25 | Cryptocurrency mining malware distributed via USB | ALERTS | CRYPTOCURRENCY | Cryptocurrency mining malware has spread to victims through USB propagation in South Korea. In addition to infection persistence through USB, further characteristics that maximize infection via system settings modifications, and security bypass techniques have been observed. In particular the CoinMiner malware employs techniques such as C2 server communications, DLL sideloading for execution bypass, detection evasion via Windows Defender exception settings, and disabling of hibernation status for optimum mining performance. |
21.1.25 | Redtail Cryptocurrency Mining Malware | ALERTS | CRYPTOCURRENCY | Redtail is an adaptable malware that stealthily installs itself on compromised systems utilizing advanced tactics to persist and exploit systems for unauthorized cryptocurrency mining. It is capable of running on various CPU architectures by utilizing two extra scripts: one script identifies the CPU architecture of the victim system ensuring compatibility for the malware, and a second script removes any other competing crypto-mining software that may already exist on the compromised system. This dual approach tactic maintains persistence and works towards evading detection. |
18.1.25 | Ottercookie observed being used by nation states to steal crypto currency | ALERTS | CRYPTOCURRENCY | OtterCookie, an infostealer designed to steal crypto currency information, has recently been observed in use by nation state actors. |
1.11.24 | TeamTNT targets cloud-native environments in new Cryptojacking campaign | ALERTS | CRYPTOCURRENCY | A new campaign by the cryptojacking group TeamTNT has been reported targeting cloud-native environments for cryptocurrency mining and reselling compromised servers. They exploit exposed Docker daemons to deploy Sliver malware, cyber worms and cryptominers, gaining access through exposed Docker ports and using compromised Docker Hub accounts to spread malware and rent out victims' computational power. |
27.10.24 | North Korean hackers target Cryptocurrency users on LinkedIn with RustDoor malware | ALERTS | CRYPTOCURRENCY | In early September, the FBI warned of North Korean threat actors targeting the crypto industry. A campaign has been reported where these actors attempt to lure potential victims on LinkedIn to deliver RustDoor malware. One user was approached by someone impersonating a recruiter for a legitimate decentralized cryptocurrency exchange (DEX) technology firm, supported by professional-looking websites to enhance the legitimacy of the fake entities. |
20.8.24 | Crypto Investment Scams Posing as Tesla | CRYPTOCURRENCY | A recent report reveals that attackers are exploiting Tesla's name to promote cryptocurrency scams. These scammers have registered domains containing 'Tesla' to deceive users into visiting malicious links. The links lead to the download of a harmful Android application, which is promoted on social platforms such as YouTube and Telegram. | |
9.8.24 | Cryptocurrency-themed lure sites used for phishing attacks | CRYPTOCURRENCY | Threat actors are creating thousands of cryptocurrency-themed lure sites used for phishing attacks that target users of cryptocurrency wallet brands like MetaMask, WalletConnect, Coinbase, Trezor, Ledger, Bitget, Exodus, Phantom, and others. These actors are using free hosting services such as Gitbook and Webflow to create lure sites on crypto wallet typo-squatter subdomains like the following. | |
7.8.24 | Trust (Crypto) Wallet users targeted with a new phishing wave | CRYPTOCURRENCY | Trust Wallet is a crypto wallet that provides its users services such as buying, selling, storing, swapping and managing their cryptocurrencies. Lately, Symantec has observed phish runs that impersonate Trust Wallet services and entice users to open fake notification emails. | |
27.7.24 | SeleniumGreed cryptomining operation | ALERTS | CRYPTOCURRENCY | SeleniumGreed is a recently disclosed cryptomining operation observed in the wild. The campaign targets exposed versions of Selenium Grid which is a component in Selenium open-source automation framework used for testing web applications. |
18.7.24 | Jenkings Script Console exploited for cryptocurrency mining | ALERTS | CRYPTOCURRENCY | Improperly configured Jenkins Script Console instances (such as Jenkins Groovy plugin) have been weaponized by attackers leading to criminal activities such as the deployment of cryptocurrency miners, and backdoors to gather sensitive information. |
10.7.24 | Water Sigbin exploits vulnerabilities to deliver cryptocurrency miner | ALERTS | CRYPTOCURRENCY | The threat actor Water Sigbin (aka 8220 Gang) has exploited vulnerabilities in the Oracle WebLogic Server ( CVE-2017-3506 and CVE-2023-21839) to deliver a cryptocurrency miner called XMRing to the compromised systems. |
26.6.24 | Web Shell attack used for deployment of XMrig coinminer | ALERTS | CRYPTOCURRENCY | Web shell attacks are a common technique used by attackers to maintain persistence and remotely access web servers during cyberattacks. They enable attackers to exploit compromised online applications through predefined phishing methods. Web shells provide attackers with the ability to execute commands on a server while evading detection by blending in with legitimate website traffic. |
18.6.24 | Cryptojacking campaign exploiting Docker engine vulnerabilities | ALERTS | CRYPTOCURRENCY | A new cryptojacking campaign targeting publicly exposed Docker Engine hosts has been observed. It is presumed to be associated with the threat actors behind the previously seen malware campaign dubbed Spinning YARN. The attack vector starts by scanning for open port 2375 and deploying an Alpine Linux container. |
12.6.24 | DERO cryptojacking operation targeting Kubernetes infrastructure | CRYPTOCURRENCY | Dero, a cryptocurrency, offers better privacy, anonymity and faster rewards than Monero, and is often used in cryptojacking according to a March 2023 report. A recent report from a threat researcher discussed the cryptojacking campaign's evolution, where the attack vector involves exploiting an externally accessible Kubernetes API server with anonymous authentication enabled. After gaining access, the attacker deployed cryptominer workloads across various Kubernetes namespaces using benign names to evade detection. | |
6.6.24 | RedTail cryptomining malware exploiting PAN-OS vulnerability | ALERTS | CRYPTOCURRENCY | RedTail cryptocurrency mining malware has added PAN-OS vulnerability to its exploit arsenal. PAN-OS CVE-2024-3400 is a now patched vulnerability that allows an attacker to execute an arbitrary code file with root user privileges. Exploiting this PAN-OS vulnerability and executing the commands successfully can lead to the downloading of the RedTail payload. This malware employs advanced evasion and persistence techniques. RedTail has also used other propagation mechanisms involving other vulnerability exploits (such as CVE-2023-46805 and CVE-2024-21887). |
31.5.24 | Unveiling cryptocurrency mining tactic of the 8220 Gang | ALERTS | CRYPTOCURRENCY | The 8220 Gang, a widely recognized threat actor based in China and driven by financial motives, has been active since 2017. Specializing in deploying cryptocurrency-mining malware, they primarily target cloud-based environments and Linux servers, exploiting known application vulnerabilities as part of their tactics, techniques, and procedures (TTPs). |