Skip to content
This repository was archived by the owner on Dec 9, 2025. It is now read-only.

FogMoe/xmrig-dropper-incident-report

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
 
 
 
 

Repository files navigation

Incident Report: Unauthorized XMRig Miner Dropper on Azure VM

⚠️ DO NOT RUN ANY SCRIPTS OR BINARIES IN THIS REPOSITORY.

With mandatory safety disclaimer and usage restrictions

Context (What happened)

A previously compromised Ubuntu server (Azure VM) was found running an unauthorized cryptocurrency miner. During incident response and offline disk inspection, I located a shell script dropper (sex.sh) that:

  • downloads XMRig from the official GitHub release page,
  • sets mining parameters (pool + wallet),
  • attempts persistence via systemd (service name: system-update-service),
  • falls back to nohup if systemd setup fails.

This repository is for documentation, threat intelligence sharing (IOCs), and defensive learning only.

Why I’m publishing this

  • To help others recognize the same patterns quickly
  • To preserve indicators of compromise (IOCs) for defenders
  • To document the incident timeline and remediation steps

I am not distributing malware. Any content here must not be executed.

Key Indicators (IOCs)

  • Dropper script path observed: /nextjsproject/sex.sh
  • Archive name used: kal.tar.gz
  • Extracted directory: xmrig-6.24.0/
  • Persistence: systemd service named system-update-service
  • Miner: xmrig (Monero / XMR CPU miner)

Note: Some values may be partially redacted to prevent abuse.

Reference: XMRig download source

The dropper downloads XMRig from the official release URL:

Files in this repository

Responsible use

If you are not a security professional with an isolated lab environment, do not download or handle any suspicious binaries. For regular users: treat this repository as a read-only warning and reference.

License

This repository is shared for educational and defensive purposes. No warranty. Use at your own risk.

About

I hate next.js

Resources

Stars

Watchers

Forks