Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0133: Miner-C

Miner-C is malware that mines victims for the Monero cryptocurrency. It has targeted FTP servers and Network Attached Storage (NAS) devices to spread. [1]

EnterpriseS0133MalwareObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Miner-C matters because it represents a resource-theft malware case where cryptocurrency mining is paired with spreading through shared or network-accessible storage, including FTP servers and NAS devices as described in the ATT&CK description and cited reference. For leaders, the practical issue is not only the mining activity itself; it is whether file-sharing infrastructure can become a propagation path that degrades availability, consumes compute resources, and creates incident response uncertainty across unmanaged or lightly monitored storage assets.

Executive priority

Treat this as a validation point for operational resilience around shared storage, NAS, and FTP-like services. Security leaders should ask whether these assets are inventoried, monitored, patched, and included in incident response playbooks. The ATT&CK relationship to T1080 Taint Shared Content makes this relevant to lateral movement readiness: if shared content can be modified without strong controls or monitoring, a malware incident can become a broader business disruption and audit-evidence problem.

Technical view

ATT&CK provides no Miner-C-specific detection guidance and no malware platform list, so SOC and IR teams should anchor validation on the described behavior and the T1080 relationship. Confirm whether shared storage locations, NAS devices, FTP services, and internal repositories are monitored for suspicious file changes, unexpected executable or script placement, abnormal access patterns, and signs of cryptocurrency-mining resource usage. For T1080 context, detection should focus on unauthorized modification of shared content and downstream execution from shared locations across the platforms supported by the related technique: Windows, SaaS, Linux, and macOS.

Likely telemetry

  • NAS and shared-storage file creation, modification, and permission-change logs
  • FTP server authentication, upload, download, and directory listing logs
  • Endpoint process execution and command-line telemetry where shared content may be opened or executed
  • Network telemetry showing unusual connections from storage devices or servers
  • CPU, memory, and process utilization indicators consistent with unexpected mining activity

Detection direction

  • Validate that storage infrastructure is in scope for monitoring; NAS and FTP assets are often less visible than standard endpoints.
  • Alert on unusual or unauthorized writes to shared locations, especially executable, script, archive, or web-accessible content where such files are not expected.
  • Correlate suspicious shared-content changes with later execution events from user systems or servers, consistent with the T1080 relationship.
  • Tune for legitimate administrative uploads, software distribution workflows, backups, and developer repository activity to reduce false positives.
  • Look for abnormal resource consumption on affected systems, but do not rely on CPU usage alone because it is noisy and not Miner-C-specific.

Mitigation priorities

  • Inventory and classify NAS, FTP, and shared-storage assets, including ownership and business criticality.
  • Restrict write permissions to shared locations using least privilege and separate administrative accounts where practical.
  • Enable logging and retention for storage, FTP, identity, and endpoint activity sufficient to reconstruct file modification and execution chains.
  • Apply file integrity monitoring or equivalent change control to high-risk shared directories and repositories.
  • Include NAS and FTP services in vulnerability management, patching, backup, and incident response procedures.
Analyst notes and limits

The strongest relationship-supported point is lateral movement via T1080 Taint Shared Content. Miner-C’s official ATT&CK description specifically mentions Monero mining and targeting FTP servers and NAS devices to spread, with the Softpedia reference focused on Seagate NAS hard drives. This take therefore emphasizes shared-storage governance, monitoring, and IR readiness rather than claiming a complete malware behavior profile.

ATT&CK does not provide Miner-C tactics, platforms, aliases, labels, or official detection guidance in the supplied fields. The only provided behavior relationship is use of T1080. Any assertion about affected products, current activity, specific indicators, exploit methods, or guaranteed detection would require external intelligence or local evidence not supplied here.

Official MITRE ATT&CK definition

Miner-C

Miner-C is malware that mines victims for the Monero cryptocurrency. It has targeted FTP servers and Network Attached Storage (NAS) devices to spread. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1080 Taint Shared Content

Miner-C copies itself into the public folder of Network Attached Storage (NAS) devices and infects new victims who open the file.CitationSoftpedia MinerC
Relationship explorer

All related ATT&CK context

uses · Technique T1080: Taint Shared Content Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
f1b9b0742c9348db...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle f1b9b0742c93…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Softpedia MinerC

    Cimpanu, C.. (2016, September 9). Cryptocurrency Mining Malware Discovered Targeting Seagate NAS Hard Drives. Retrieved September 12, 2024.

    Open source URL
  2. [2]
    mitre-attack S0133
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use