Tuesday, April 29, 2025
HomeCyber Security NewsCryptocurrency Miners Back - Lemon Duck Attacking Government, Retail, and Technology Sectors

Cryptocurrency Miners Back – Lemon Duck Attacking Government, Retail, and Technology Sectors

Published on

SIEM as a Service

Follow Us on Google News

The Cybersecurity research firm Cisco Talos has recently detected an activity that are linked with the cryptocurrency botnet. The experts claimed that these attacks are targetting different businesses within sectors like the government, retail, and technology.

The attacker uses various techniques to spread the malware all over the network, just as sending affected RTF files by using email, psexec, WMI, and SMB exploits. Moreover, these files also contain the infamous Eternal Blue and SMBGhost threats that affect the Windows 10 machines. 

Some variants also support RDP brute-forcing, and experts have identified that the attackers also use tools such as Mimikatz, as it helps the botnet increase the number of systems participating in its opening pool.

- Advertisement - Google News

Lemon Duck Malware

Lemon Duck is a botnet that has automatic spreading capabilities. Its concluding payload is a modification of the Monero cryptocurrency mining software XMR.

Lemon Duck is one of the most complicated mining botnets with various impressive methods and techniques to cover up all its operations.

According to the reports, the security experts have recently seen a recovery in the number of DNS requests that are connected with its command and control and mining servers.

That’s why the security experts have decided to take a close look at its functionality by prioritizing previously less documented modules like the Linux branch and C# modules that are loaded by the specific PowerShell component.

What’s new?

This threat has been active since the end of December 2018, and there has been an apparent increase in its activity at the end of August 2020.

Infection vectors

The cybersecurity team, Cisco Talos, has affirmed that they had recorded 12 independent infection vectors ranging from standard copying over SMB shares and tried to use the vulnerabilities in Redis and the YARN Hadoop resource manager and job scheduler. 

Not only this, but the Talos experts have also noticed a huge increase in the number of DNS requests connected with Lemon Duck C2 and mining servers, and it has been done at the end of August 2020.

GPUs used by Lemon Duck for mining

  • GTX
  • NVIDIA
  • GEFORCE
  • AMD
  • RADEON

Modular Functionalities

In Lemon Duck, the modules that are included are the primary loader; it checks the level of user privileges and all the elements that are relevant for mining, like the type of the accessible graphic card. If these GPUs are not identified, then the loader will get download and run the commodity XMRig CPU-based mining script.

Moreover, other modules are included in the main spreading module, a Python-based module packaged using a Pyinstaller, and a killer module designed to impair known competing mining botnets.

Open-source PowerShell projects code included in Lemon Duck

  • Invoke-TheHash by Kevin Robertson
  • Invoke-EternalBlue PowerShell EternalBlue port
  • BlueKeep RCE exploit (CVE- 2019-0708) PowerShell port
  • Powersploit’s reflective loader by Matt Graeber
  • Modified Invoke-Mimikatz PowerShell module

Apart from this, the threat actors behind Lemon Duck want to make sure that their operation must be profitable. That’s why the Lemon Duck has checked all the infected machines for other known crypto miners and shuts them down accordingly.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Also Read

CoronaVirus Cyber Attack Panic – Threat Actors Targets Victims Worldwide

Chinese APT Hackers Exploit MS Word Bug to Drop Malware Via Weaponized Coronavirus Lure Documents

How Can The Coronavirus (COVID-19) Disrupt Cybersecurity Operations?

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Verizon 2025 Report Highlights Surge in Cyberattacks Through Third Parties

Verizon Business unveiled its 2025 Data Breach Investigations Report (DBIR) today, painting a stark...

GPUAF: Two Methods to Root Qualcomm-Based Android Phones

Security researchers have exposed critical vulnerabilities in Qualcomm GPU drivers, impacting a vast array...

SecAI Debuts at RSA 2025, Redefining Threat Investigation with AI

By fusing agentic AI and contextual threat intelligence, SecAI transforms investigation from a bottleneck...

Blinded from Above: How Relentless Cyber-Attacks Are Knocking Satellites Out of Sight

According to the Center for Strategic & International Studies' (CSIS) 2025 Space Threat Assessment,...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Verizon 2025 Report Highlights Surge in Cyberattacks Through Third Parties

Verizon Business unveiled its 2025 Data Breach Investigations Report (DBIR) today, painting a stark...

GPUAF: Two Methods to Root Qualcomm-Based Android Phones

Security researchers have exposed critical vulnerabilities in Qualcomm GPU drivers, impacting a vast array...

Blinded from Above: How Relentless Cyber-Attacks Are Knocking Satellites Out of Sight

According to the Center for Strategic & International Studies' (CSIS) 2025 Space Threat Assessment,...