H2Miner Attacks Linux, Windows, and Containers for Monero Mining Operations

A recently published analysis by FortiGuard Labs’ FortiCNAPP team has revealed a sophisticated and multi-faceted attack campaign leveraging both well-known crypto-mining botnets and newly observed ransomware strains.

The attackers, believed to be behind the long-running H2Miner crypto mining campaigns, are now deploying a cocktail of malicious tools targeting Linux, Windows, and container environments, with the end goal of large-scale Monero mining, system disruption, and theft of sensitive information.

New AI-Generated Ransomware

H2Miner, active since 2019, has evolved by integrating legacy shell scripts for defense evasion and persistence with new variants, including Lcrypt0rx a VBScript-based ransomware first detected in November 2024.

Lcrypt0rx displays several signs of automated generation, such as duplicated functions, flawed persistence mechanisms, and ineffective attempts at disabling antivirus solutions.

Notably, code analysis with AI-detection tools flagged Lcrypt0rx as almost certainly generated using large language models, raising concerns over the rapid commoditization of cybercrime infrastructure.

The Fortinet report observes a unique overlap: operators are deploying both H2Miner’s classic crypto-mining malware along with the Lcrypt0rx ransomware, suggesting collaboration between threat actor groups or a campaign consolidation to maximize potential profits.

This hybrid approach spreads across infrastructure using commercial hacking tools and infostealers such as Kinsing, Lumma Stealer, DCRat, Cobalt Strike, and Amadey further intensifying the impact and complexity of the attacks.

Attack Chains

The attack lifecycle starts with adversaries targeting exposed Linux, Windows, and containerized workloads, often leveraging public VPS infrastructure to obfuscate their presence.

For Linux and cloud workloads, familiar scripts like ce.sh, spr.sh, and cpr.sh are used to halt defenses, remove competing malware, gain persistence, and deploy Kinsing RAT and crypto miners.

A PowerShell script (1.ps1) handles Windows XP and later systems, ensuring XMRig miners persist through scheduled tasks, with mining proceeds funneled to previously flagged Monero wallets.

The Lcrypt0rx ransomware, on the other hand, is spread on Windows targets. It attempts privilege escalation, disables critical system utilities, and interferes with user input by disabling modifier and function keys via registry manipulation.

Despite its broad attempts at data destruction overwriting the Master Boot Record, deleting backups, and encrypting user files with custom XOR routines Lcrypt0rx is marred by technical flaws, weak key management, and evidence of LLM hallucinations in its code.

Its encryption is considered weak, classifying it as scareware more than a genuine ransomware threat. Yet the campaign is dangerous due to its blend of visual defacement, persistent system interference, and bundled infostealers.

Organizations are urged to deploy updated network and endpoint protections, monitor for anomalous mining and C2 activity, and educate users against phishing and opportunistic threats.

Fortinet’s security stack detects and blocks campaign components with multi-layer signatures covering script loaders, RATs, miners, and ransomware, alongside network-level intrusion prevention that intercepts themed exploits, script deployments, and C2 communications.

Indicators of Compromise (IOCs)

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates