* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog) * [Palo Alto Networks](https://origin-researchcenter.paloaltonetworks.com/blog/corporate/) * [Threat Intelligence](https://origin-researchcenter.paloaltonetworks.com/blog/category/threat-intelligence/) * Threat Brief: Malware Aut... # Threat Brief: Malware Authors Mine Monero Across the Globe in a Big Way [](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2018%2F01%2Fthreat-brief-malware-authors-mine-monero-across-globe-big-way%2F) [](https://twitter.com/share?text=Threat+Brief%3A+Malware+Authors+Mine+Monero+Across+the+Globe+in+a+Big+Way&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2018%2F01%2Fthreat-brief-malware-authors-mine-monero-across-globe-big-way%2F) [](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2018%2F01%2Fthreat-brief-malware-authors-mine-monero-across-globe-big-way%2F&title=Threat+Brief%3A+Malware+Authors+Mine+Monero+Across+the+Globe+in+a+Big+Way&summary=&source=) [](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/2018/01/threat-brief-malware-authors-mine-monero-across-globe-big-way/&ts=markdown) \[\](mailto:?subject=Threat Brief: Malware Authors Mine Monero Across the Globe in a Big Way) Link copied By [Christopher Budd](https://www.paloaltonetworks.com/blog/author/christopher-budd/?ts=markdown "Posts by Christopher Budd") Jan 24, 2018 4 minutes [Threat Intelligence](https://www.paloaltonetworks.com/blog/category/threat-intelligence/?ts=markdown) [coin mining](https://www.paloaltonetworks.com/blog/tag/coin-mining/?ts=markdown) [Cryptocurrency](https://www.paloaltonetworks.com/blog/tag/cryptocurrency/?ts=markdown) [mining](https://www.paloaltonetworks.com/blog/tag/mining/?ts=markdown) [Monero](https://www.paloaltonetworks.com/blog/tag/monero/?ts=markdown) In October 2017, Palo Alto Networks Unit 42 published [research](https://www.paloaltonetworks.com/blog/2017/10/threat-brief-drive-mining-adapting-old-attack-mine-cryptocurrencies/) showing how attackers were adapting attack techniques to generate cryptocurrency for themselves. In that research, we also showed how these attacks were very broad and grew very quickly. At the time, we said that the sudden, surging value of cryptocurrencies was likely behind the sudden, strong rise of these new attacks. We said that if cryptocurrency values continue to remain high, we could expect to see attackers continue to focus on finding ways to carry out attacks to gain cryptocurrency, and that those attacks would continue to adapt proven attack techniques. Unit 42 has just released new research showing that attackers are indeed continuing to adapt existing techniques to generate cryptocurrency. In our research posting "[Large Scale Monero Cryptocurrency Mining Operation using XMRig](https://www.paloaltonetworks.com/blog/2018/01/unit42-large-scale-monero-cryptocurrency-mining-operation-using-xmrig/)" we detail a new malware campaign that is global in scale, very large in the likely number of victims and uses well established techniques to mine the [Monero]() cryptocurrency. ![Monero\_brief1](https://www.paloaltonetworks.com/blog/wp-content/uploads/2018/01/Monero_brief1.png) Monero is a cryptocurrency similar to [bitcoin](https://en.wikipedia.org/wiki/Bitcoin_mining) but notable for its increased emphasis on providing a higher level of privacy around its transactions. Like bitcoin, Monero is generated through "[mining](https://en.wikipedia.org/wiki/Bitcoin_mining)" a computationally intensive process that provides cryptocurrency credit in exchange for computing resources provided in service to the cryptocurrency and its transaction infrastructure. The operation that Unit 42 has recently uncovered works to deliver XMRig, software that is used to mine the Monero cryptocurrency, to victims' systems without their knowledge or consent. While XMRig isn't itself specifically malware, it's being delivered using malware-delivery techniques without the user's knowledge and consent just like malware. The attackers are doing this by using URL shorteners to make XMRig look like other, legitimate, and expected programs. This is a method attackers have used for years to deliver malware and they are using it now to get coinmining software on to people's systems illicitly. The attackers' use of URL shortners enables our Unit 42 researchers to get an idea of the size, scope, and scale of this operation. And these are all notable and sobering. First, this is a young campaign. Our research shows this operation to be only about four months old. Second, this is a very large campaign. Our researchers can show that about one-half of the samples we found have affected 15 million people worldwide. While we can't see how many people the other half of the samples affect, it's a reasonable supposition that the other half of the total samples affect just as many people as the half we can see. This would mean that this operation may affect about 30 million people worldwide. In terms of who's been affected by this operation, again, we can only see half of those who have been affected. But what we do see shows that this is a truly global operation. This operation affected countries around the globe, but it appears that southeast Asia, northern Africa, and countries in South America were hit the most as shown below. ![Monero Brief 2](https://www.paloaltonetworks.com/blog/wp-content/uploads/2018/01/Monero-Brief-2.png) *Malicious downloads by country* The specific breakout of countries affected, and their download counts are as follows: 1. Thailand -- 3,545,437 2. Vietnam -- 1,830,065 3. Egypt -- 1,132,863 4. Indonesia -- 988,163 5. Turkey -- 665,058 6. Peru -- 646,985 7. Algeria -- 614,870 8. Brazil -- 550,053 9. Philippines -- 406,294 10. Venezuela -- 400,661 Taking all those points together, this is operation is very large and clearly very effective. It shows how attackers are aggressively focusing their operations and campaigns on generating and acquiring cryptocurrency. From a threat point of view, there are two things that are notable. First is the fact that from an attack technique point of view, there is nothing new here. The tactics and techniques are not new or sophisticated. Second is the fact that this operation is clearly very successful based on its size, scope, and age. Looking at this latest operation on the continuum of evolving cryptocurrency-focused threats, it's clear that this is an early-stage threat given its lack of sophistication and reuse of established techniques and tactics. But given how quickly and broadly successful it is, combined with the continued high value of cryptocurrencies, we can also conclude that attackers will continue to focus on cryptocurrency and likely will evolve their techniques and tactics quickly. Cryptocurrency-focused threats is a key area that all defenders should focus their intelligence and prevention efforts around in 2018. Meanwhile, see our [full research blog](https://www.paloaltonetworks.com/blog/2018/01/unit42-large-scale-monero-cryptocurrency-mining-operation-using-xmrig/) for full details on how attackers are distributing and using XMRig to generate Monero. *** ** * ** *** ## Related Blogs ### [Threat Intelligence](https://www.paloaltonetworks.com/blog/category/threat-intelligence/?ts=markdown), [Unit 42](https://unit42-dev2.paloaltonetworks.com) [#### Threat Brief: What's Driving the Shift to Cryptocurrency Mining Malware?](https://origin-researchcenter.paloaltonetworks.com/blog/2018/03/threat-brief-whats-driving-shift-cryptocurrency-mining-malware/) ### [Threat Intelligence](https://www.paloaltonetworks.com/blog/category/threat-intelligence/?ts=markdown), [Unit 42](https://unit42-dev2.paloaltonetworks.com) [#### Threat Brief: A Declining Rig Exploit Kit Hops on the Coinmining Bandwagon](https://origin-researchcenter.paloaltonetworks.com/blog/2018/02/threat-brief-declining-rig-exploit-kit-hops-coinmining-bandwagon/) ### [Unit 42](https://unit42-dev2.paloaltonetworks.com) [#### Monero Miners Continue to Plague Users via Russian BitTorrent Site](https://origin-researchcenter.paloaltonetworks.com/blog/2018/03/unit42-monero-miners-continue-plague-users-via-russian-bittorrent-site/) ### [Unit 42](https://unit42-dev2.paloaltonetworks.com) [#### Large Scale Monero Cryptocurrency Mining Operation using XMRig](https://origin-researchcenter.paloaltonetworks.com/blog/2018/01/unit42-large-scale-monero-cryptocurrency-mining-operation-using-xmrig/) ### [Threat Intelligence](https://www.paloaltonetworks.com/blog/category/threat-intelligence/?ts=markdown) [#### Threat Brief: Drive-by Mining - Adapting an Old Attack to Mine Cryptocurrencies](https://origin-researchcenter.paloaltonetworks.com/blog/2017/10/threat-brief-drive-mining-adapting-old-attack-mine-cryptocurrencies/) ### [Threat Intelligence](https://www.paloaltonetworks.com/blog/category/threat-intelligence/?ts=markdown) [#### 'BabyShark' Targets Cryptocurrency Industry](https://origin-researchcenter.paloaltonetworks.com/blog/2019/04/babyshark-targets-cryptocurrency-industry/) ### Subscribe to the Blog! Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more. ![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up Please enter a valid email. By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder. This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply. {#footer} {#footer} Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/ai-security?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Next-Generation Identity Security](https://www.paloaltonetworks.com/idira?ts=markdown) * [Privileged Access Management](https://www.paloaltonetworks.com/idira/human/privileged-access-management?ts=markdown) * [Identity and Access Management](https://www.paloaltonetworks.com/idira/human/identity-and-access-management?ts=markdown) * [Endpoint Privilege Manager](https://www.paloaltonetworks.com/idira/human/endpoint-privilege-manager?ts=markdown) * [Identity Governance](https://www.paloaltonetworks.com/idira/human/identity-governance?ts=markdown) * [Workforce Password Management](https://www.paloaltonetworks.com/idira/human/workforce-password-management?ts=markdown) * [Agentic Identities](https://www.paloaltonetworks.com/idira/agentic?ts=markdown) * [Secrets Management](https://www.paloaltonetworks.com/idira/machine/secrets-management?ts=markdown) * [Unified Secrets Governance](https://www.paloaltonetworks.com/idira/machine/unified-secrets-governance?ts=markdown) * [Application Credentials Delivery](https://www.paloaltonetworks.com/idira/machine/application-credentials-delivery?ts=markdown) * [Vendor Privileged Access](https://www.paloaltonetworks.com/idira/human/vendor-privileged-access?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2026 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language