G0108: Blue Mockingbird
Blue Mockingbird is a cluster of observed activity involving Monero cryptocurrency-mining payloads in dynamic-link library (DLL) form on Windows systems. The earliest observed Blue Mockingbird tools were created in December 2019.[1]
Analyst context for executives and security teams
Blue Mockingbird matters because the ATT&CK entry describes observed activity using Monero cryptocurrency-mining DLL payloads on Windows systems, with related behaviors that can include public-facing application exploitation, credential dumping, lateral movement, persistence, proxying, and compute hijacking. For leaders, the business issue is not just “cryptomining”; it is whether exposed systems, privileged credentials, and Windows administration pathways could be abused long enough to consume resources, degrade services, and complicate incident response.
Executive priority
Treat this as a resilience and control-validation use case: confirm that internet-facing application risk, Windows identity protection, lateral movement controls, and endpoint telemetry are strong enough to detect and contain unauthorized compute use and follow-on activity. It is especially relevant for vulnerability prioritization, SOC readiness, and audit evidence around privileged access, logging, and persistence monitoring.
Technical view
SOC and IR teams should validate coverage against the relationship-driven behavior set: exploitation of public-facing applications, execution through PowerShell/cmd/WMI, DLL proxy execution via regsvr32 or rundll32, LSASS memory access and Mimikatz-related credential theft, RDP and SMB/Admin Share lateral movement, registry/service/scheduled-task/WMI persistence, proxy tooling such as FRP, and compute hijacking indicators. Because no official ATT&CK detection text is provided, detection engineering should map these behaviors to local Windows event, EDR, identity, and network data rather than relying on a single group signature.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- DLL load and signed-binary proxy execution telemetry for rundll32.exe and regsvr32.exe
- PowerShell, Windows Command Shell, and WMI activity logs
- Scheduled Task, Windows Service, Registry, and WMI event subscription change records
- Authentication and remote access logs for RDP and SMB/Admin Shares
Detection direction
- Prioritize behavior-based detections over group-name matching, since the object provides no official detection guidance.
- Tune for suspicious combinations: public-facing application activity followed by Windows execution, persistence creation, credential access, lateral movement, and sustained high compute usage.
- Review allowlist blind spots for legitimate Windows binaries such as rundll32.exe, regsvr32.exe, WMI, service control, scheduled tasks, PowerShell, and cmd.exe.
- Correlate identity and endpoint evidence: LSASS access or Mimikatz-like behavior followed by RDP or SMB/Admin Share use is higher priority than either signal alone.
- Baseline administrative tooling and remote management patterns to reduce false positives while preserving visibility into unusual source hosts, accounts, times, and destinations.
Mitigation priorities
- Reduce initial-access exposure by prioritizing remediation and configuration review for public-facing applications and services.
- Harden Windows credential protections and privileged account usage to limit the value of LSASS access and credential dumping.
- Restrict and monitor RDP, SMB/Admin Shares, WMI, service control, and other remote administration paths to known administrative use cases.
- Apply least privilege and administrative segmentation so compromised systems cannot easily create services, scheduled tasks, registry persistence, or WMI subscriptions across the environment.
- Constrain or monitor script and signed-binary execution paths commonly abused for DLL execution, including PowerShell, cmd.exe, rundll32.exe, and regsvr32.exe.
Analyst notes and limits
The supplied ATT&CK object identifies Blue Mockingbird as observed activity involving Monero mining DLL payloads on Windows systems, and the practical defensive framing comes mainly from the listed technique and software relationships. The most useful operational exercise is to test whether the organization can connect external exposure, Windows execution, credential access, lateral movement, persistence, proxy traffic, and compute-impact signals into one investigation path.
ATT&CK provides no official detection text for this group, and object-level platforms and tactics are not specified. This take does not assert current activity, attribution beyond the named ATT&CK group, customer exposure, or guaranteed detection. Local asset exposure, logging coverage, administrative baselines, and incident evidence are required to determine relevance.
Blue Mockingbird
Blue Mockingbird is a cluster of observed activity involving Monero cryptocurrency-mining payloads in dynamic-link library (DLL) form on Windows systems. The earliest observed Blue Mockingbird tools were created in December 2019.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1059.001 | PowerShell Sub-technique | Blue Mockingbird has used PowerShell reverse TCP shells to issue interactive commands over a network connection.CitationRedCanary Mockingbird May 2020 |
| Enterprise | T1574.012 | COR_PROFILER Sub-technique | Blue Mockingbird has used wmic.exe and Windows Registry modifications to set the COR_PROFILER environment variable to execute a malicious DLL whenever a process loads the .NET CLR.CitationRedCanary Mockingbird May 2020 |
| Enterprise | T1546.003 | Windows Management Instrumentation Event Subscription Sub-technique | Blue Mockingbird has used mofcomp.exe to establish WMI Event Subscription persistence mechanisms configured from a *.mof file.CitationRedCanary Mockingbird May 2020 |
| Enterprise | T1082 | System Information Discovery | Blue Mockingbird has collected hardware details for the victim's system, including CPU and memory information.CitationRedCanary Mockingbird May 2020 |
| Enterprise | T1543.003 | Windows Service Sub-technique | Blue Mockingbird has made their XMRIG payloads persistent as a Windows Service.CitationRedCanary Mockingbird May 2020 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Blue Mockingbird has used Windows Scheduled Tasks to establish persistence on local and remote hosts.CitationRedCanary Mockingbird May 2020 |
| Enterprise | T1090 | Proxy | Blue Mockingbird has used FRP, ssf, and Venom to establish SOCKS proxy connections.CitationRedCanary Mockingbird May 2020 |
| Enterprise | T1047 | Windows Management Instrumentation | Blue Mockingbird has used wmic.exe to set environment variables.CitationRedCanary Mockingbird May 2020 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Blue Mockingbird has used batch script files to automate execution and deployment of payloads.CitationRedCanary Mockingbird May 2020 |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | Blue Mockingbird has used Mimikatz to retrieve credentials from LSASS memory.CitationRedCanary Mockingbird May 2020 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | Blue Mockingbird has executed custom-compiled XMRIG miner DLLs using rundll32.exe.CitationRedCanary Mockingbird May 2020 |
| Enterprise | T1134 | Access Token Manipulation | Blue Mockingbird has used JuicyPotato to abuse the |
| Enterprise | T1496.001 | Compute Hijacking Sub-technique | Blue Mockingbird has used XMRIG to mine cryptocurrency on victim systems.CitationRedCanary Mockingbird May 2020 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Blue Mockingbird has obfuscated the wallet address in the payload binary.CitationRedCanary Mockingbird May 2020 |
| Enterprise | T1112 | Modify Registry | Blue Mockingbird has used Windows Registry modifications to specify a DLL payload.CitationRedCanary Mockingbird May 2020 |
| Enterprise | T1569.002 | Service Execution Sub-technique | Blue Mockingbird has executed custom-compiled XMRIG miner DLLs by configuring them to execute via the "wercplsupport" service.CitationRedCanary Mockingbird May 2020 |
| Enterprise | T1190 | Exploit Public-Facing Application | Blue Mockingbird has gained initial access by exploiting CVE-2019-18935, a vulnerability within Telerik UI for ASP.NET AJAX.CitationRedCanary Mockingbird May 2020 |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | Blue Mockingbird has used Remote Desktop to log on to servers interactively and manually copy files to remote hosts.CitationRedCanary Mockingbird May 2020 |
| Enterprise | T1218.010 | Regsvr32 Sub-technique | Blue Mockingbird has executed custom-compiled XMRIG miner DLLs using regsvr32.exe.CitationRedCanary Mockingbird May 2020 |
| Enterprise | T1021.002 | SMB/Windows Admin Shares Sub-technique | Blue Mockingbird has used Windows Explorer to manually copy malicious files to remote hosts over SMB.CitationRedCanary Mockingbird May 2020 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Blue Mockingbird has masqueraded their XMRIG payload name by naming it wercplsupporte.dll after the legitimate wercplsupport.dll file.CitationRedCanary Mockingbird May 2020 |
| Enterprise | T1588.002 | Tool Sub-technique | Blue Mockingbird has obtained and used tools such as Mimikatz.CitationRedCanary Mockingbird May 2020 |
Groups, software, and campaigns
S1144: FRP
FRP, which stands for Fast Reverse Proxy, is an openly available tool that is capable of exposing a server located behind a firewall or Network Address Translation (NAT) to the Internet. FRP can support multiple protocols including TCP, UDP, and HTTP(S) and has been abused by threat actors to proxy command and control communications.[1][2][3][4]
S0002: Mimikatz
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.3 | Current bundle | 3751d2a13f33… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
RedCanary Mockingbird May 2020
Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020.
Open source URL -
[2]
mitre-attack G0108Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.