AhnLab EPP

Subscribe
Download 357
Last updated Dec 2, 2025

CoinMiner Detected

Detects cryptocurrency mining malware in AhnLab EPP V3 malware alert logs.

Query

The AhnLab V3 antivirus engine detects cryptocurrency mining malware with signatures such as CoinMiner/Win.PhoenixMiner.R263897, CoinMiner/Win.Generic.C5729394, etc. Therefore, alerts are extracted when the signature value begins with CoinMiner/.

| search signature == "CoinMiner/*"

Message

  • AhnLab EPP V3 Cryptocurrency Mining Malware Detected: Host $host_ip, Malware $signature

Field Order

  • _log_time, hostname, host_ip, emp_name, dept_name, signature, file_path, file_status, md5

Threat Analysis

  • Cryptocurrency mining malware consumes system resources for extended periods, causing high CPU/GPU usage, degraded performance, and increased power consumption.
  • Attackers may install mining software by exploiting vulnerabilities or using compromised accounts, hijacking organizational resources for unauthorized mining activities.
  • Some mining malware includes additional capabilities such as downloading secondary payloads, installing backdoors, or self-updating, potentially leading to further compromise.

False Positives

  • Detections may occur when cryptocurrency mining programs are operated internally or executed for research purposes.

    • If the activity is authorized, the endpoint’s IP address can be added as an exception.

Response Actions

  • Check the endpoint’s CPU/GPU utilization and network traffic patterns to determine whether mining activity actually occurred.
  • Review the execution path, installation traces, and auto-start registry entries of the mining program, and remove any malicious components.
  • Verify whether similar detections have occurred within the same network segment to identify potential lateral spread.
  • Investigate the infection vector (vulnerability exploitation, weak passwords, exposed RDP services, etc.) and strengthen system patching, account security, and access control policies.

MITRE ATT&CK