XMRig

The React2Shell vulnerability (CVE-2025–55182) was reported to the React team on November 29. Public advisories and patches dropped on December 3. Threat actors started exploiting it within hours... React2Shell (CVE-2025–55182) is a critical, unauthenticated remote code execution bug in React Server Components’ “Flight” protocol. | Common post-exploitation moves: Install XMRig or another cryptominer

Along with patching, we recommend examining SAP web server access logs for additional evidence of CVE-2025-31324 exploitation, specifically looking for evidence of unusual requests to the API endpoint /developmentserver/metadatauploader . If possible, consider disallowing access to that API endpoint from external networks. To hunt for additional evidence of web shell uploads, organizations can search for unexpected JSP files within these folders on SAP servers... | hxxp[://]23.95.123[.]5:666/xmrigCCall/8bq.sh

This service is accompanied by a pipe named \\.\WinRing0_1_2_0 which allows the process to communicate with the driver. This is quite an old driver, vulnerable to CVE-2020-14979 and CVE-2021-41285, and allowing the actor to elevate privileges to NT\SYSTEM as soon as the direct unchecked communication with the driver is allowed and the attacker controls input forwarded to the driver.

This service is accompanied by a pipe named \\.\WinRing0_1_2_0 which allows the process to communicate with the driver. This is quite an old driver, vulnerable to CVE-2020-14979 and CVE-2021-41285, and allowing the actor to elevate privileges to NT\SYSTEM as soon as the direct unchecked communication with the driver is allowed and the attacker controls input forwarded to the driver.

Ahnlab Security Emergency response Center (ASEC) has recently confirmed that the 8220 Gang attack group is using the Log4Shell vulnerability to install CoinMiner in VMware Horizon servers. Log4Shell (CVE-2021-44228) is both a remote code execution vulnerability and the Java-based logging utility Log4j vulnerability... | If the CVE-2022-26134 vulnerability attack succeeds, the following PowerShell command downloads and executes additional PowerShell scripts and ultimately installs XMRig CoinMiner.

The group targets not only global systems but also Korean ones. ASEC has introduced a case where the attack group abused the Atlassian Confluence server vulnerability CVE-2022-26134 to attack Korean systems and install CoinMiner. | If the CVE-2022-26134 vulnerability attack succeeds, the following PowerShell command downloads and executes additional PowerShell scripts and ultimately installs XMRig CoinMiner.

In this cluster of activity, since at least March 25, 2026, an XMRig sample and its accompanying configuration file were downloaded and deployed via a shell script.

In this cluster of activity, since at least March 25, 2026, an XMRig sample and its accompanying configuration file were downloaded and deployed via a shell script.

In this cluster of activity, since at least March 25, 2026, an XMRig sample and its accompanying configuration file were downloaded and deployed via a shell script.

Several devices initiated TCP connections to endpoints affiliated with cryptomining pools such as us[.]zephyr[.]herominers[.]com and xmrig[.]com. Connectivity to these domains indicates likely successful installation of mining software during earlier stages of post-compromise activity.

Several devices initiated TCP connections to endpoints affiliated with cryptomining pools such as us[.]zephyr[.]herominers[.]com and xmrig[.]com. Connectivity to these domains indicates likely successful installation of mining software during earlier stages of post-compromise activity.

CVE-2022-22954, a remote code execution (RCE) vulnerability due to server-side template injection in VMware Workspace ONE Access and Identity Manager, is trivial to exploit with a single HTTP request to a vulnerable device.

Apache RocketMQ Exploit Module (CVE-2023-33246) ... In June 2023, a vulnerability cataloged as CVE-2023-33246 was discovered that enables an attacker to achieve remote command execution (RCE) on RocketMQ versions 5.1.0 and earlier. Shortly after, DreamBus added an exploit module to target this vulnerability.

Metabase Exploit Module (CVE-2023-38646) ... The open source versions of Metabase 0.46.6.1 and earlier, as well as Metabase Enterprise 1.46.6.1 and earlier, are vulnerable to CVE-2023-38646 ... The vulnerability allows an attacker to execute arbitrary commands on the server. The DreamBus exploit targeting the vulnerability is likely based on an open source proof-of-concept.

The attack, at its core, exploits a critical missing authentication bug (CVE-2023-48022, CVSS score: 9.8) to take control of susceptible instances and hijack their computing power for illicit cryptocurrency mining using XMRig.

CVE-2026-20182 carries a CVSSv3.1 score of 10.0 (Critical) and is classified under CWE-287: Improper Authentication. The flaw affects the Cisco Catalyst SD-WAN Controller (formerly vSmart)... The peering authentication mechanism is not functioning correctly, allowing an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on the affected system.

Apr 2024 PAN-OS CVE-2024-3400 exploit integration (Akamai)

Analysis of react.py This script is clearly set to exploit CVE-2025-29927, also known as React2Shell. ... This script implements a fully automated React/Next.js exploitation pipeline centered on abusing CVE-2025-29927 to achieve remote command execution at scale.

Malware campaigns include the Muhstik botnet and XMRig Monero Cryptocurrency mining. | Drupal versions before 7.58... allow remote attackers to execute arbitrary code... Malware campaigns include the Muhstik botnet and XMRig Monero Cryptocurrency mining.

The PoC repository contained a PDF file... downloading and running three files: Xsession.sh → The main malware script; xsession.auth → A disguised Monero miner (XMRig); xprintidle → A utility to detect when the system was idle. | Late at night, I was testing a proof-of-concept (PoC) exploit for CVE-2020-35489 ... The script appears to be a simple Proof-of-Concept (PoC) for an exploit, but in reality, it contains hidden malicious functionality.

“CoinMiner XMRig, a CoinMiner that mines the Monero cryptocurrency, was the one the most used in the attacks.”

"x522, which kills competing miners such as XMRig and Kinsing, and launches the miner with a c3pool.org configuration"

The Kaswara Modern WPBakery Page Builder plugin (CVE-2021-24284) is an example of this. This is a five-year-old unpatched flaw in a long-abandoned plugin that attackers are still actively exploiting right now... This flaw allows an unauthenticated attacker to upload malicious code directly to a vulnerable server and execute it remotely. | "...attackers have been using this vulnerability to take over WordPress websites... to ultimately install unauthorized copies of the XMRig cryptomining software"

The vulnerability, assigned the CVE identifier CVE-2024-4577, refers to an argument injection vulnerability in PHP affecting Windows-based systems running in CGI mode that could allow remote attackers to run arbitrary code.