H2Miner Targets Linux, Windows, and Containers to Illicitly Mine Monero

FortiGuard Labs researchers have uncovered a sophisticated cryptomining campaign where the H2Miner botnet, active since late 2019, has expanded its operations to target Linux, Windows, and containerized environments simultaneously.

The campaign represents a significant evolution in cross-platform cryptocurrency mining attacks, with threat actors leveraging updated scripts and infrastructure to maximize financial gains from compromised systems.

The investigation revealed that H2Miner operators have updated their arsenal with new deployment URLs while maintaining core functionalities from previous campaigns documented in 2020.

The malware continues to rely heavily on shell scripts to disable security defenses and deploy Kinsing malware, but now demonstrates enhanced awareness of cloud-specific defenses and containerized environments.

Notably, the updated scripts specifically target Alibaba Cloud Security Center agents and processes running within Docker containers, indicating the operators’ adaptation to modern cloud infrastructure.

Campaign Infrastructure

The threat actors have established a diverse infrastructure hosting multiple commercial tools across different operating systems ...