First discovered in June 2018, Kingminer is a Monero-mining malware targeting Windows Servers, particularly IIS and SQL servers. The actors behind the malware use various evasion methods to bypass detection. A windows .sct file is installed on the victim’s machine; upon execution, the file detects relevant CPU architecture, kills relevant .exe file processes, and downloads a payload ZIP file. In the second phase of the attack, the XMRig CPU miner runs and uses the victim’s entire CPU.

Reporting and Technical Details

  • Check Point provides technical analysis of the Kingminer malware here.