< ciso
brief />
Tag Banner

All news with #cryptojacking tag

38 articles · page 2 of 2

Amazon warns of cryptomining campaign abusing AWS IAM

⚠️ Amazon's GuardDuty team is tracking an ongoing cryptomining campaign that uses compromised Identity and Access Management (IAM) credentials to abuse EC2 and ECS resources. The attacker deployed an yenik65958/secret Docker Hub image containing the SBRMiner-MULTI miner and configured large ECS tasks and auto-scaling EC2 groups to maximize mining. The actor also enabled instance termination protection to hinder remediation; Amazon has removed the malicious image, alerted affected customers, and recommends rotating compromised IAM credentials while following GuardDuty mitigation guidance.
read more →

Crypto-mining Campaign Targets Amazon EC2 and ECS Resources

⚠️ Amazon GuardDuty and AWS automated monitoring identified a coordinated crypto‑mining campaign beginning November 2, 2025, that used compromised IAM credentials to deploy miners on Amazon EC2 and Amazon ECS. Attackers enumerated quotas and permissions, launched large EC2 fleets and ECS Fargate tasks from a malicious Docker Hub image, and used persistence techniques such as disabling API termination and creating public Lambda URLs. GuardDuty Extended Threat Detection correlated signals to surface critical attack sequences and AWS provides IoCs and mitigation guidance including strong identity controls, CloudTrail logging, Runtime Monitoring, and remediation playbooks.
read more →

Compromised IAM Credentials Fuel Large-Scale AWS Crypto Mining

🚨 Amazon detected a campaign on Nov 2, 2025 that used compromised IAM credentials to rapidly deploy cryptocurrency miners across ECS Fargate and EC2, with miners running within ten minutes of initial access. The adversary used DryRun-based discovery to validate permissions, created service-linked roles and dozens of ECS clusters, and registered a malicious DockerHub image to launch mining with the RandomVIREL algorithm. Attackers also set disableApiTermination=True on EC2 instances to hinder remediation; Amazon recommends enforcing MFA, least privilege, temporary credentials, container scanning, CloudTrail logging and enabling GuardDuty.
read more →

React2Shell Exploitation Delivers Miners and Backdoors

⚠ Huntress reports widespread exploitation of the maximum-severity React Server Components flaw CVE-2025-55182, with attackers leveraging vulnerable Next.js instances to deploy cryptocurrency miners and multiple novel Linux malware families. Observed payloads include the PeerBlight backdoor, CowTunnel reverse proxy and ZinFoq post-exploitation implant, alongside droppers that fetch XMRig, Sliver C2 and Kaiji variants. Activity since early December 2025 has targeted many sectors — notably construction and entertainment — and shows signs of automated scanning and exploitation tools that sometimes deploy Linux payloads to Windows hosts. Organizations should update react-server-dom-webpack, react-server-dom-parcel and react-server-dom-turbopack immediately and hunt for indicators of compromise.
read more →

React2Shell RCE Exploits Observed in the Wild at Scale

⚠️ Patches for the React2Shell vulnerability should be prioritized: researchers report active, largely automated exploitation attempts targeting React Server Components and Next.js. Public proof-of-concept code has been reused by attackers, with initial payloads performing lightweight proof-of-execution checks and staged PowerShell download-and-execute stagers. Vendors including JFrog, Wiz and Greynoise warn of fake PoCs on GitHub, cryptojacking, credential theft attempts, and Mirai-style kit integration, while AWS reports state-linked groups targeting exposed apps — making immediate remediation and verification essential.
read more →

ShadowRay 2.0 Worm Uses Ray Flaw to Build Global Botnet

🪲 Oligo Security warns of an active campaign, codenamed ShadowRay 2.0, that exploits a two-year-old authentication flaw in the Ray AI framework (CVE-2023-48022, CVSS 9.8) to convert exposed clusters with NVIDIA GPUs into a self-replicating cryptomining botnet using XMRig. Operators submit malicious jobs to the unauthenticated Job Submission API (/api/jobs/), stage payloads on GitLab and GitHub, and abuse Ray’s orchestration to pivot laterally, establish persistence via cron jobs, and propagate to other dashboards. Oligo recommends restricting access, enabling authentication on the Ray Dashboard (default port 8265) and using Anyscale’s Ray Open Ports Checker plus firewall rules to reduce accidental exposure.
read more →

ShadowRay 2.0 Converts Exposed Ray Clusters to Miners

⚠ A global campaign named ShadowRay 2.0 is exploiting an unpatched code-execution flaw (CVE-2023-48022) in Ray clusters to deploy a self-propagating cryptomining botnet. Researchers at Oligo attribute the activity to an actor tracked as IronErn440, which uses AI-generated payloads submitted to Ray’s unauthenticated Jobs API. The malware deploys XMRig to mine Monero, establishes persistence via cron and systemd, and opens reverse shells for interactive control. Operators also throttle CPU use and conceal miners with deceptive names to evade detection.
read more →

NCA Campaign Targets Men Under 45 Over Crypto Scams

🚨 The UK's National Crime Agency (NCA) has launched the "Crypto Dream Scam Nightmare" campaign to warn men under 45 about crypto investment fraud that lures victims with professional sites, apps and romance baiting. The initiative, part of the Home Office's Stop! Think Fraud programme, includes a short video and a 10-tip info sheet to help people recognise and avoid scams. The NCA noted Action Fraud logged over 17,000 investment fraud reports last year.
read more →

Active Exploits Target DELMIA Apriso and XWiki — CISA

⚠️ CISA and researchers report active exploitation of critical vulnerabilities in Dassault Systèmes DELMIA Apriso and XWiki, including code injection, missing authorization, and eval injection flaws. Dassault addressed CVE-2025-6204 and CVE-2025-6205 for 2020–2025 releases in August and these issues were added to CISA’s Known Exploited Vulnerabilities catalog. The XWiki flaw (CVE-2025-24893) is being abused in a two-stage chain that stages and later executes a downloader to deliver a cryptocurrency miner. Organizations should apply vendor updates immediately and meet federal remediation deadlines where applicable.
read more →

North Korean Hackers Use EtherHiding to Steal Crypto

⚠️ Google Threat Intelligence Group has linked a North Korean threat actor to EtherHiding, a technique that embeds malicious JavaScript inside smart contracts so the blockchain functions as a resilient command-and-control server. Tracked as UNC5342, the actor used EtherHiding within an elaborate social-engineering campaign to deliver JADESNOW and a JavaScript variant of INVISIBLEFERRET, leading to multiple cryptocurrency heists. The campaign targets developers via fake recruiters and deceptive coding tests on Telegram and Discord.
read more →

Minecraft mods — how malicious mods put players at risk

🛡️ Minecraft mods can enhance gameplay but also serve as vectors for malware. This article explains how threat actors disguise Trojans, infostealers, ransomware and cryptominers as mods or cheat tools and distribute them via GitHub, mod repositories and forums. It outlines practical precautions — sourcing mods from trusted repositories, checking developer reputation and file types, using non-admin accounts, backups and security software — and steps to take if a mod is suspected malicious.
read more →

Cryptominer targets exposed Docker APIs, installs backdoors

🔒 Akamai researchers reported a June–August 2025 variant that no longer drops a cryptominer but instead leverages exposed Docker APIs to gain persistent host access. The campaign launches lightweight containers that mount the host filesystem and fetch Base64-encoded scripts over Tor to install tools such as curl and tor. Once inside, the malware appends SSH keys, creates cron jobs, and attempts to modify firewall rules to deny others access to port 2375. Akamai also observed dormant logic to probe Telnet and Chrome remote debugging (9222), suggesting future botnet expansion.
read more →

Tor-based Cryptojacking Campaign Shows Botnet Potential

🔒 Security researchers uncovered a variant of a campaign that abuses the TOR network and exposed Docker APIs to deploy cryptojacking and reconnaissance tooling. Akamai, which identified the activity last month, says attackers create Alpine containers, mount the host filesystem, and execute a Base64 payload that downloads a shell script from a .onion domain. The downloader alters SSH for persistence and installs utilities like masscan, torsocks and zstd while a Go-based dropper and compressed binary enable scanning and propagation.
read more →

Popular npm packages trojanized to mine cryptocurrency

⚠️ Several widely used npm packages were trojanized after attackers phished maintainers, injecting obfuscated JavaScript that turns affected web applications into cryptodrainers. The malicious code executes in visitors' browsers, intercepting network traffic and API requests to rewrite cryptocurrency wallet addresses for Ethereum, Bitcoin, Solana, Litecoin, Bitcoin Cash and Tron and redirect funds to attacker-controlled wallets. npm removed infected packages about three hours after the attack began, but total downloads during that window remain unknown. Developers are advised to audit dependencies, pin safe versions with overrides in package.json, and use anti-phishing protections.
read more →

Phished Maintainer Leads to Compromise of 20 npm Packages

⚠️ A maintainer of widely used npm packages was phished, allowing attackers to publish malicious updates to 20 modules that together exceed two billion weekly downloads. Researchers from Aikido Security and Socket found the injected payload hooks browser APIs (window.fetch, XMLHttpRequest, window.ethereum.request) to intercept and rewrite cryptocurrency transactions. The malware substitutes recipient addresses by computing Levenshtein distance to closely match intended wallets, putting end users and developers who connect wallets at risk. The incident highlights the persistent supply-chain threat to package ecosystems.
read more →

ShadowCaptcha Exploits WordPress Sites to Spread Malware

🔒 ShadowCaptcha is a large-scale campaign abusing over 100 compromised WordPress sites to push visitors to fake Cloudflare or Google CAPTCHA pages using the ClickFix social‑engineering lure. Injected JavaScript initiates redirection chains, employs anti‑debug techniques, and silently copies commands to the clipboard to coerce users into running built‑in Windows tools or saving and executing HTA files. Attackers weaponize LOLBins and DLL side‑loading to deliver installers and payloads — observed outcomes include credential stealers (Lumma, Rhadamanthys), Epsilon Red ransomware, and XMRig cryptocurrency miners — with some miner variants fetching configs from Pastebin and dropping a vulnerable driver (WinRing0x64.sys) to seek kernel access. Affected sites span multiple countries and sectors, underscoring the importance of timely WordPress hardening, network segmentation, user training, and MFA.
read more →

GeoServer Exploits, PolarEdge, Gayfemboy Expand Cybercrime

🛡️ Cybersecurity teams report coordinated campaigns exploiting exposed infrastructure and known flaws to monetize or weaponize compromised devices. Attackers have abused CVE-2024-36401 in GeoServer to drop lightweight Dart binaries that monetize bandwidth via legitimate passive-income services, while the PolarEdge botnet and Mirai-derived gayfemboy expand relay and DDoS capabilities across consumer and enterprise devices. Separately, TA-NATALSTATUS targets unauthenticated Redis instances to install stealthy cryptominers and persistence tooling.
read more →

Smashing Security Podcast 431: Cloud Bill Fraud & EDR Risks

🛡️ In episode 431 of the Smashing Security podcast, Graham Cluley and guest Allan Liska examine a high-profile cloud-billing fraud in which a crypto influencer calling himself CP3O racked up millions in unpaid cloud costs through cryptomining schemes. They also highlight the growing threat of EDR‑killer tools that can silently disable endpoint protection to aid attackers. The show includes lighter segments on the Internet Archive’s Wayforward Machine and a visit to Mary Shelley’s grave, and carries a content warning for mature language and themes.
read more →