SOC · 2 MIN READ · BEN NAHORNEY · JAN 7, 2026
TL;DR
- XMRig is a cryptocurrency miner that we often see bad actors leverage to monetize compromised systems.
- We’re seeing bad actors deploy XMRig using a variety of installation vectors.
- The platforms that we see XMRig on are also quite varied.
Sometimes threats are like weeds.
Even in the best tended gardens, weeds can crop up in unusual and unexpected ways. They don’t discriminate between well-tilled soil or a crack in concrete—they’re only looking for that sliver of opportunity to take root.
Threats are similarly opportunistic. They don’t limit themselves to a single attack vector or platform. The goal is to establish themselves how and where they can.
Few threats illustrate this better than cryptominers. While it can be argued that cryptominers in and of themselves are not malicious, bad actors often install them without users’ or admins’ knowledge.
XMRig is a popular open-source cryptocurrency miner, primarily used for mining Monero. As mentioned, XMRing isn’t inherently malicious, but we regularly see it installed by bad actors. And the ways they do it are as varied as anything we see.
Just check out what we’ve seen bad actors use recently:
- React2Shell vulnerabilities (CVE-2025-55182 and CVE-2025-66478)
- Compromised credentials for several remote administration applications
- SSH brute force attacks
- Installation through commodity malware
And these are just in incidents where we were able to determine initial access.
XMRig offers cross-platform compatibility, enabling attackers to use the same tool in a variety of environments. We’ve seen XMRig across common platforms, such as Windows endpoints and Linux hosts, but also in Kubernetes pods and AWS EC2 instances.
Since XMRig performs CPU mining, it is an ideal choice in low-resource conditions such as these. This allows attackers to efficiently monetize the platforms they compromise, regardless of their size and computing power.
As mentioned, XMRig isn’t inherently malicious since it’s legitimate mining software, which can make detection trickier. When attempting to identify unauthorized cryptomining installations, no single indicator is a smoking gun confirming a miner’s presence on its own. When trying to find XMRig in your environment, we suggest looking for several signals:
- Monitor for outbound connections used by Monero mining pools, such as DNS queries to mining pool domains and on commonly used ports like TCP 3333.
- XMRig can be configured to use encrypted traffic, hiding these connections, so look for unusual encrypted connections as well.
- Baseline normal CPU behavior and then look for sustained, high CPU usage on systems that don’t normally carry intensive workloads. Similarly, look for high CPU usage during off hours.
- Check for unexpected scheduled tasks, cron jobs, or registry startup items. XMRig often establishes persistence by setting these up to survive a reboot.
- For Kubernetes, review pod security policies, ensuring that baseline profiles are enabled. This should guard against many cryptomining scenarios, but in some situations it may be worth considering restrictive profiles to protect highly sensitive data.
- In the case of AWS EC2 instances, enable AWS GuardDuty for basic cryptomining detection, and turn on Runtime Monitoring for comprehensive protection against unauthorized miners.
Dealing with cryptominers may not seem urgent when tackling bigger threats, and while it could be argued they’re ‘less malicious,’ they should still be prioritized. The fact is the presence of an unauthorized cryptominer tends to speak to unaddressed security holes in the environment. And any attackers getting XMRig onto systems could just as easily be installing more malicious software if they so choose.
Like weeds, XMRig is an annoyance that should be pulled out for the health of the garden.
