XMRig is a legitimate open-source cryptocurrency mining tool available on GitHub that hackers for years have been deploying in campaigns aiming to steal crypto – particularly Monero – from victim’s wallets.

As an example, threat researchers with Kaspersky early last year reported seeing a surge starting in late December 2024 of threat actors exploiting XMRig, distributing the cryptominer through game torrents in a campaign dubbed “StaryDobry.”

“However, the cryptominer also surfaced on corporate networks — probably due to employees using work computers for personal use,” the researchers wrote.

More recently, some bad actors were seen by security researchers exploiting the maximum-severity React2Shell vulnerability that exploded onto the scene last month to deploy XMRig and other cryptominers. According researchers with Wiz, one campaign deployed a UPX packed version of XMRig, while a second one downloaded the standard XMRig setup from GitHub.

Cryptominers Could Signal Security Holes

In a blog post this week, Ben Nahorney, senior technical marketing writer with Expel, which provides AI-based managed detection and response (MDR) services, compared MXRig and other cryptominers to weeds that will pop up in the cracks of unpatched software and compromised credentials and “like weeds … is an annoyance that should be pulled out for the health of the garden.”

“Dealing with cryptominers may not seem urgent when tackling bigger threats, and while it could be argued they’re ‘less malicious,’ they should still be prioritized,” Nahorney wrote. “The fact is the presence of an unauthorized cryptominer tends to speak to unaddressed security holes in the environment. And any attackers getting XMRig onto systems could just as easily be installing more malicious software if they so choose.”

XMRig is a legitimate tool, but its detection can signal a weakness in an organization’s.

“Threats are similarly opportunistic” as weeds are, Nahorney wrote. “They don’t limit themselves to a single attack vector or platform. The goal is to establish themselves how and where they can. Few threats illustrate this better than cryptominers. While it can be argued that cryptominers in and of themselves are not malicious, bad actors often install them without users’ or admins’ knowledge.”

A Booming Business

Cryptominers remain in demand among legitimate and bad actors. According to analysts with market research firm Precedence Research, the global crypto mining market was valued at $2.77 billion last year and is projected to rise to $3.12 billion in 2026. By 2035, it will be worth $9.18 billion, growing an average of 12.73% a year.

“The industry is expanding primarily because of the development of distributed ledger technologies and an increase in electronic venture capital investment,” the analysts wrote. “Digital currency is now being used by developing nations as a means of financial transactions. Additionally, blockchain technology is frequently used in conjunction with virtual currency to provide decentralized and managed related capital.”

Many Avenues for Using XMRig

According to Expel’s Nahorney, XMRig in particular is popping up in a growing number of places. He noted that use of React2Shell to distribute the cryptominer, but noted it’s been used to compromise credentials of several remote administration application and in SSH brute-force attakcs.

It’s also been installed through commodity malware.

XMRig provides cross-platform compatibility, so hackers can use the same tool not only in Windows endpoints and Linux hosts, but also in Kubernetes pods and Amazon Web Services EC2 instances.

“Since XMRig performs CPU mining, it is an ideal choice in low-resource conditions such as these,” he wrote. “This allows attackers to efficiently monetize the platforms they compromise, regardless of their size and computing power.”

Roaring Back

Researchers with German cybersecurity firm G Data CyberDefense last summer wrote about a resurgence of malware deploying XMRig after what they described as a “two-year hiatus.” The researchers noted one possible reason for the upswing was the rally of the market for Monero between January and May last year – including a spike in April – gaining 45% in value, from $196 to $285.

“The spike coincided with the high-profile bitcoin theft that was subsequently converted into Monero,” they wrote. “This theft and subsequent conversion were reportedly orchestrated by a single individual in the U.S.”

Another driver was the optimization updates introduced in April, which they wrote “may have encouraged users (including threat actors) to capitalize on the promise of the latest version.”

‘No Smoking Gun’

Nahorney wrote that “XMRig isn’t inherently malicious since it’s legitimate mining software, which can make detection trickier. When attempting to identify unauthorized cryptomining installations, no single indicator is a smoking gun confirming a miner’s presence on its own.”

Organizations need to look for outbound connections used by Monero mining pools, unusual encrypted connections, and high CPU use on systems that don’t tend of run intensive workloads or during off hours. They also should check for unexpected scheduled task, cron jobs, or registry startup items. With Kubernetes, they should review pod security policies and ensure baseline profiles are enabled, and in AWS C2 instances, they need to use AWS GuardDuty to detect cryptomining and turn on Runtime Monitoring.