Coin miners

Cybercriminals are always looking for new ways to make money. With the rise of digital currencies, also known as cryptocurrencies, criminals see a unique opportunity to infiltrate an organization and secretly mine for coins by reconfiguring malware.

How coin miners work

Many infections start with:

  • Email messages with attachments that try to install malware.

  • Websites hosting exploit kits that attempt to use vulnerabilities in web browsers and other software to install coin miners.

  • Websites taking advantage of computer processing power by running scripts while users browse the website.

Mining is the process of running complex mathematical calculations necessary to maintain the blockchain ledger. This process generates coins but requires significant computing resources.

Coin miners aren't inherently malicious. Some individuals and organizations invest in hardware and electric power for legitimate coin mining operations. However, others look for alternative sources of computing power and try to find their way into corporate networks. These coin miners aren't wanted in enterprise environments because they eat up precious computing resources.

Cybercriminals see an opportunity to make money by running malware campaigns that distribute, install, and run trojanized miners at the expense of other people's computing resources.


DDE exploits, which have been known to distribute ransomware, are now delivering miners.

For example, a sample of the malware detected as Trojan:Win32/Coinminer (SHA-256: 7213cbbb1a634d780f9bb861418eb262f58954e6e5dca09ca50c1e1324451293) is installed by Exploit:O97M/DDEDownloader.PA, a Word document that contains the DDE exploit.

The exploit launches a cmdlet that executes a malicious PowerShell script (Trojan:PowerShell/Maponeir.A). It downloads the trojanized miner, a modified version of the miner XMRig, which then mines Monero cryptocurrency.

How to protect against coin miners

Enable potentially unwanted applications (PUA) detection. Some coin mining tools aren't considered malware but are detected as PUA. Many applications detected as PUA can negatively impact machine performance and employee productivity. In enterprise environments, you can stop adware, torrent downloaders, and coin mining by enabling PUA detection.

Since coin miners are becoming a popular payload in many different kinds of attacks, see general tips on how to prevent malware infection.

For more information on coin miners, see the blog post Invisible resource thieves: The increasing threat of cryptocurrency miners.