In July 2025, Darktrace researchers detected an attempted cryptojacking incident on a retail and e-commerce network.
A desktop device initiated an HTTP connection to a rare endpoint, 45.141.87[.]195 over port 8000.
Embedded in the request was a PowerShell script, infect.ps1.
The script’s behavior flagged an immediate anomaly: a new PowerShell user agent making an unusual outbound connection.
Analysis revealed the script dropped an obfuscated AutoIt loader. The loader injected NBMiner into a legitimate Windows process, charmap.exe. The attack chain began with three encoded data blobs in the PowerShell script.
The first blob, XOR’d with 97, produced an AutoIt executable stored in APPDATA/local/knzbsrgw.exe.
The second blob was saved to APPDATA/rauuq and later decoded. The third decoded into an AutoIt script written to %LOCALAPPDATA%\qmsxehehhnnwioojlyegmdssiswak.
Persistence was established through a startup shortcut. The loader reconstructed the payload in memory, allocated writable and executable memory inside charmap.exe, and launched the cryptominer.
The binary performed anti-sandbox checks and monitored for Task Manager activity. It killed sigverif.exe if detected and verified Windows Defender was the sole antivirus running. Without administrative rights, it attempted a UAC bypass using Fodhelper.
NBMiner connected to mining pools using arguments configured for Ravencoin and Monero endpoints. The process window was hidden to reduce visibility. Registry keys were checked and created as needed. Supporting DLLs and side-loaded binaries were dropped to maintain execution.
Darktrace linked the events together using Cyber AI Analyst. The sequence from PowerShell execution to cryptominer endpoint connections became clear. DNS requests to endpoints such as gulf[.]moneroocean[.]stream and connections to monerooceans[.]stream:10001 confirmed mining activity.
Autonomous Response intervened immediately. Outbound connections were blocked within seconds. More than 130 attempted connections were aborted. The SOC team confirmed containment was complete.
Cryptojacking is a quiet threat. Detection takes careful monitoring of anomalous activity instead of relying on known indicators. In this instance, Darktrace’s anomaly-based approach caught the attack in its early stages and prevented it from escalating.
The incident demonstrates how novel malware strains can exploit scripting tools like PowerShell and AutoIt. Early visibility and autonomous containment are key to minimizing impact.
Retailers: Use a layered approach
Nathaniel Jones, Vice President, Security & AI Strategy and Field CISO at Darktrace advises retailers to use a layered approach from a variety of solutions to ensure defence in depth: Network Detection and Response (NDR) for network traffic analysis, Endpoint Detection and Response (EDR) for real-time endpoint monitoring, and possibly a Security Information and Event Management (SIEM) systems for data correlation.
“This combination effectively detects cryptojacking activities concealed within legitimate Windows processes by monitoring network patterns, process behavior, and aggregating security events across your environment,” Jones adds.
“Escalation should be swift and structured. Start by alerting your internal security team to contain the threat and launch an investigation. Next, if relevant, bring in your MSSP to provide added expertise and resources for deeper analysis and remediation. If necessary, escalate to law enforcement and regulatory authorities when required, ensuring compliance with industry and legal obligations. This layered approach ensures cryptojacking incidents are handled quickly, thoroughly, and responsibly.”
A Broader Endpoint Security Challenge
James Maude, Field CTO at BeyondTrust, says while cryptojacking seems like more of an inconvenience than a major threat it is a symptom of a broader endpoint security challenge. “If your endpoint can be cryptojacked then credentials, secrets and sessions on that endpoint could also be “jacked” leading to broader identity risks as attackers use these to pivot into the cloud or other systems.”
He says this attack chain is typical of modern threats combining scripts with legitimate native tools such as PowerShell as well as signed third party binaries from trusted vendors. “This hybrid living off the land approach uses legitimate applications alongside some anti-sandboxing evasion techniques allows threat actors to effectively evade detection. While AV and EDR products have improved significantly in recent years there continue to be many ways to evade detection even with the unsubtle approach of naming the malicious script “infect.ps1”.”
Historically, some of the most effective protections against endpoint threats have been removing local admin rights and application control, this cryptojacking campaign is no exception, Maude adds. “The malware is designed to check if the user has local administrator privileges and bypass UAC to silently elevate privilege allowing it to have more control over the systems and inject into more processes. It also downloads and executes applications and scripts that could be blocked or controlled using application control.”
Ultimately, he says the risk this and other threats pose is directly related to the privileges the user has (both on the endpoint and in the cloud) and the control you have over what applications are allowed to execute. “Multiple cyber defense frameworks and best practices recommend removing admin rights, controlling application execution, and patching for good reason. They are proven to be some of the most effective and proactive mitigation against all types of threats no matter how creatively they evade detection.”
An Intrusion Signal
Organizations should treat modern cryptojacking as an intrusion signal, not a harmless nuisance, adds Jason Soroko, Senior Fellow at Sectigo.
“Adversaries can land through script based payloads that execute directly in memory and then hide inside trusted Windows processes, while quietly elevating privileges through known UAC weaknesses. These techniques blend with normal system behavior and exploit default configurations, which means traditional signature tools often remain quiet. Mining payloads also create real costs in energy and reliability, and they may serve as cover for a broader campaign that scouts the environment and harvests credentials.”
Soroko says activity that looks like a minor compliance issue can therefore be the first visible symptom of unauthorized control. “Leaders should understand that the mean time to detection is driven by visibility into script engines, process behavior, and outbound network use, not by lists of indicators alone. The goal is to spot what is unusual for your own estate and act before the miner becomes a beachhead.”
Review High-Fidelity Telemetry
Security teams should enable and actually review high-fidelity telemetry that surfaces these behaviors, Soroko explains. “Turn on PowerShell Script Block Logging and command line auditing, prefer constrained language mode on user workstations, and feed logs that include event ID 4688 and PowerShell event ID 4104 into detections that flag new user agents, encoded commands, and suspicious parent child chains. Apply application control with Windows Defender Application Control or AppLocker to restrict script interpreters and portable executables that are not business critical, and block unneeded tools that are often abused.”
He also advises to hunt for memory injection into odd targets such as Character Map and for creation of new threads in GUI utilities, and alert when a signed process suddenly opens handles for full access.
“Enforce outbound filtering and DNS monitoring, block connections to rare destinations and known mining pools, and quarantine hosts that open persistent connections on unusual ports. Remediate by rotating credentials used on the affected host, clearing persistence such as startup links or scheduled tasks, and rebuilding when uncertainty remains. Finally, raise the severity of mining findings in the playbook, measure response time to the first anomalous script execution, and train support teams to treat unexplained CPU or GPU spikes as a potential incident.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.