Monero Mining via H2Miner – Targeting Linux, Windows, and Containers

FortiGuard Labs has uncovered a sophisticated crypto mining campaign that demonstrates the evolving threat landscape of 2025.

The FortiCNAPP team recently investigated a cluster of virtual private servers (VPS) utilized by the H2Miner botnet for large-scale Monero mining operations, revealing updated configurations and an unprecedented collaboration with the Lcrypt0rx ransomware family.

This investigation marks the first documented operational overlap between these two threat actors, suggesting either direct collaboration or tool sharing to maximize financial returns across different operating systems.

Multi-Platform Attack Infrastructure Targets Diverse Environments

The H2Miner campaign has expanded significantly since its initial documentation in 2020, now deploying a comprehensive arsenal of tools across Linux, Windows, and containerized environments.

The infrastructure hosts KinSing for Linux systems, multiple variants of XMRig miners for cross-platform deployment, and Windows-specific threats, including Lumma stealer, DCRat, Cobalt Strike, and the newly identified Lcrypt0rx ransomware variant.

The attack leverages multiple VPS providers, including HostGlobal, Aeza International, and Alibaba Cloud services, with command and control servers distributed across various hosting platforms to ensure operational resilience.

Technical analysis reveals that H2Miner continues utilizing shell scripts with updated deployment URLs, including ce.sh (MD5: 1bf1efeadedf52c0ed50941b10a2f468), which terminates security software, deploys Kinsing malware, and establishes persistence through service registration.

The campaign targets explicitly cloud environments by killing Alibaba Cloud Security Center agents and Docker container processes, demonstrating awareness of modern cloud-specific defenses.

The PowerShell component (1.ps1) downloads XMRig miners and creates scheduled tasks for persistence, pointing to the same Monero wallet (4ASk4RhUyLL7sxE9cPyBiXb82ofekJg2SKiv4MKtCbzwHHLQxVVfVr4D4xhQHyyMTieSM5VUFGR9jZVR5gp6sa1Q2p8SahC) previously linked to H2Miner campaigns since late 2021.

AI-Generated Ransomware Introduces Novel Threat Vector

The most intriguing discovery involves Lcrypt0rx, a VBScript-based ransomware variant that exhibits multiple indicators of AI-generated code.

FortiGuard Labs identified significant coding anomalies, including function duplication, incorrect persistence mechanisms, flawed encryption logic, and malformed syntax errors such as “WshShell.RegWriteWshShell.RegWrite.”

The ransomware attempts to open encrypted files in Notepad and targets nonexistent folder paths, demonstrating the lack of contextual awareness typical of large language model outputs.

AI detection tools confirmed these suspicions with 85-90% confidence scores indicating automated code generation.

Beyond encryption capabilities, Lcrypt0rx deploys additional malware, including Lumma stealer, DCRat, and the same XMRig miners used in H2Miner campaigns.

The ransomware demands $1,000 (an increase from $500 in previous variants) with a shortened three-day payment deadline, although its simple XOR encryption makes recovery trivial through basic cryptanalysis.

This convergence of mining and ransomware operations represents a troubling trend where threat actors leverage both AI-generated code and commercially available tools to lower the barrier to entry for sophisticated cybercriminal campaigns.

IOCs

IPS

78[.]153[.]140[.]66
80[.]64[.]16[.]241
89[.]208[.]104[.]175
47[.]97[.]113[.]36