Neutralizing the Watchdog: Automated Security Removal in a Modular Cryptomining Campaign
- MODAT Team
- Apr 8
- 5 min read
Joint Publication: Modat and Recorded Future
Introduction
A cryptomining campaign recently uncovered by Modat, working alongside Recorded Future, demonstrates a high level of modular efficiency that poses a direct threat to organisational infrastructure. Cryptomining involves hijacking a system's processing power to mine cryptocurrency, resulting in hardware wear, performance degradation, and a significant financial impact, whether through increased on-premises energy consumption or higher cloud service costs. This campaign is particularly dangerous because it employs "living off the land" (LotL) tactics, weaponising a target’s own legitimate system tools against them to systematically dismantle security before hijacking hardware for profit.
Although the campaign was not fully operational due to the domain resolution failure, analysing these tactics, techniques, and procedures (TTPs) helps defenders better track this activity and build more resilient detections.
Key Findings
● Security Product Sabotage: The malware performed a systematic removal of established security suites, including the automated uninstallation of Norton and McAfee.
● Native Tool Abuse: Legitimate binaries like certutil.exe were used to decode malicious tools, and tar.exe was used for extraction to minimise the custom code footprint.
● Hardware Stealth: The script forced "silent" fan profiles and manipulated power settings to ensure the computer never slept during mining operations.
● Credential Theft and Exfiltration: The threat actor harvested Wi-Fi profiles and used Hashcat to crack local NTLM hashes, exfiltrating data via a Discord webhook.
Attack Flow Overview
Figure 1 breaks down the automated steps from the initial HTA script to the final mining payload:
1. Initial Access and Execution
The infection began with an HTML Application (HTA) wrapper that suppressed its UI by setting WINDOWSTATE="minimise" and SHOWINTASKBAR="no". As seen in Figure 2, this file was initially found within Modat Magnify, where it was observed that on TCP port 80 on the IP address 65[.]20[.]101[.]17, and the HTA file was returned to an HTTP request.
The HTA launched a VBScript component leveraging a combination of conhost and headless PowerShell script to execute staging activities. This stage was critical for collecting the core toolkit and a credential file, pass.txt, from the domain 8af[.]ca.[1]
The script then used a renamed version of PsExec (p.exe) to attempt lateral movement. It iterated through all user profile directories under C:\Users, attempting to remotely execute the next stage of the payload on every account discovered using the retrieved credentials.
2. Defense Evasion and Privilege Escalation
To maintain its pattern of abusing built-in Windows mechanisms, the script used a fodhelper.exe User Account Control (UAC) bypass when elevation was unavailable. This was achieved by registering a custom command handler in the registry under HKCU\Software\Classes\ms-settings\CurVer.
Automated Antivirus Removal
The malware actively hunted for security products to perform non-interactive uninstalls. If Norton was detected, it downloaded the official Norton Remove and Reinstall (NRnR) tool and used AutoHotkey to drive the uninstallation workflow without user interaction.
If McAfee was detected, the script executed the mccleanup.exe utility with a comprehensive set of parameters designed to stop and remove all McAfee-related components and services.
3. Post-Exploitation and Persistence
The batch file c.bat (originally downloaded as cmd) orchestrated the decoding of the attacker's toolkit. It used the legitimate certutil.exe tool to decode base64-encoded text files (ua.txt and yk.txt) into working binaries and archives.
The threat actor specifically leveraged native tar.exe to extract the decoded archive yk.zip. This process was used to deploy Mimikatz to the host: the binary was embedded within the encoded yk.txt file and extracted into the C:\YK directory via tar.exe. Once deployed, Mimikatz was executed to dump the SAM and SYSTEM hives.
Persistence was maintained via a malicious service named intelsvc. This service launched a PowerShell stager pointing to 8af[.]ca/2, ensuring the infection survived reboots. Additionally, the script disabled system notifications and cleared notification history to hide mining activities from the user.
4. Resource Hijacking and Data Exfiltration
The final payload, YK.ps1 (launched by the intelsvc service), deployed the mining components. On systems with dedicated graphics processing units (GPUs), the threat actor expanded operations to include GMiner in addition to the standard XMRig CPU miner. To stay hidden, the script used "silent" fan profiles via atrofac-cli.exe and manipulated power settings to prevent the computer from sleeping during mining.
Hashcat Deployment and Intelligence Exfiltration
During this post-exploitation phase, the script retrieved and deployed Hashcat. The package was downloaded directly from the official Hashcat GitHub repository as cat.7z. To unzip the package into C:\YK, the script also retrieved a standalone 7-Zip executable (7za.exe).
The threat actor used Hashcat locally, rather than exfiltrating raw hashes, which minimised the outbound detection surface and enabled offline brute force. The attacker attempted to crack the NTLM hashes previously harvested by Mimikatz.
Stolen passwords, system logs, and Wi-Fi profiles were exfiltrated using a Discord webhook, effectively leveraging Discord's infrastructure as a stealthy command-and-control (C2) channel.
Conclusion
The analysis of this campaign’s modular efficiency provides a technical roadmap for building more resilient, behavioral-based detections. Security teams should remain vigilant for the abuse of legitimate tools, such as certutil.exe for binary decoding, as well as unexplained modifications to hardware performance profiles and power configuration settings, as these remain the primary indicators of this threat actor's automated sabotage. Identifying these patterns of automated sabotage allows organisations to prevent physical hardware degradation and the escalating financial impacts of resource hijacking across both on-premises and cloud infrastructures.
Indicators of Compromise (IoC)
Type | Indicator / Filename | Context / Note | SHA-256 |
Domain | 8af[.]ca | Primary staging and payload delivery domain | N/A |
IP Address | 65[.]20[.]101[.]17 | Direct host for files and XMRig pool endpoint Port 80 | N/A |
Service | intelsvc | Persistence service created by the malware | N/A |
File | Renamed PsExec used for lateral movement | ||
File | 1 (8af[.]ca/1) | Privilege escalation and security removal script | |
File | 2 (8af[.]ca/2) | Post-exploitation and mining deployment stager | |
File | cmd | Batch script (c.bat) for LotL binary decoding | |
File | ua.txt | Base64 encoded binary decoded by certutil | |
File | yk.txt | Base64 encoded archive decoded by certutil | |
File | Secondary installation package | ||
File | Malicious Task Manager debugger (task.exe) | ||
File | 7-Zip utility used for archive extraction | ||
File | cat.7z | Hashcat package for local credential cracking | |
Webhook | discord[.]com/api/webhooks/... | Discord exfiltration and C2 channel | N/A |
Footnote
[1] At the time of writing, the domain 8af[.]ca no longer resolves to the host IP 65[.]20[.]101[.]17. This IP address was previously seen resolving to the domain 9df[.]ca between late 2024 and early 2025. Despite the domain issues, the malicious files remained available on the IP address.
About Modat
Founded in 2024, Modat is a European research-driven cybersecurity company focused on strengthening cyber resilience for individuals, companies, and governments. Our flagship platform, Modat Magnify, fingerprints and catalogues every internet connected device, to turn large amounts of raw data into actionable security insights.
Modat was created by researching, listening to, and directly experiencing the needs and challenges of security professionals. Our products enable the security community by giving access to unparalleled speed, contextualised data, and predictive insights. We are actively joining the fight to get ahead of cyber-attacks by narrowing the growing gap between digital threats and resilience. Join us to outpace and outlast.
>> Learn more by visiting modat.io and to access the platform visit magnify.modat.io
Visit:
