S0451: LoudMiner
Analyst context for executives and security teams
LoudMiner matters because it turns employee endpoints into resource theft infrastructure: a cryptocurrency miner bundled with pirated VST software on Windows and macOS, using virtualization to hide activity and consume system resources. For leaders, the practical issue is not only malware cleanup; it is whether the organization can prevent untrusted software installation, detect unauthorized virtual machines, and prove endpoint monitoring can see persistence, execution, and resource abuse across both Windows and macOS fleets.
Executive priority
Prioritize this as an endpoint governance and resilience risk. The supplied ATT&CK relationships connect LoudMiner to compute hijacking, virtualization-based hiding, persistence via Windows services and macOS Launch Daemons, shell execution, ingress tool transfer, and discovery activity. Executives should ask whether software acquisition controls prevent pirated or unapproved tools, whether SOC telemetry covers macOS as well as Windows, and whether incident responders can distinguish legitimate virtualization or installer activity from resource-abuse malware.
Technical view
SOC and IR teams should validate behavior-based coverage rather than relying on a named-malware signature, because ATT&CK provides no official detection text for this object. Focus on Windows and macOS hosts where unapproved VST-related installers, virtualization processes, miner-like resource consumption, shell activity, encoded or obfuscated commands/files, file deletion, hidden files, and persistence changes occur together. Relationship-driven validation should include T1496.001 Compute Hijacking, T1564.006 Run Virtual Instance, T1543.003 Windows Service, T1543.004 Launch Daemon, T1569.001 Launchctl, T1569.002 Service Execution, T1059.003 Windows Command Shell, T1059.004 Unix Shell, T1105 Ingress Tool Transfer, and discovery commands tied to network, process, and system information.
Likely telemetry
- Endpoint process creation and command-line logs for cmd, Unix shells, launchctl, service-control utilities, and msiexec
- Windows service creation/modification events and related registry/service configuration evidence
- macOS LaunchDaemon plist creation/modification and launchctl execution evidence
- File creation, deletion, hidden-file attributes, and encoded/encrypted artifact metadata
- Virtualization software installation, VM process activity, virtual disk/network artifacts, and host-to-VM resource usage indicators
Detection direction
- Build detections around correlated behaviors: unauthorized virtualization plus sustained compute usage plus persistence or shell execution is higher value than any single event.
- Validate both Windows and macOS coverage; macOS LaunchDaemon and launchctl monitoring is a common blind spot compared with Windows service monitoring.
- Tune for legitimate virtualization, audio-production software, software installers, and administrator maintenance to reduce false positives while preserving alerts for unapproved software paths, hidden locations, or unusual parent-child process chains.
- Treat obfuscated command execution, encoded files, and cleanup via file deletion as supporting evidence, especially when near installer execution or VM startup.
- Confirm whether endpoint tooling can observe only the host or also activity inside virtual instances; ATT&CK notes virtualization can hide artifacts from tools that cannot monitor inside the VM.
Mitigation priorities
- Strengthen software governance first: restrict pirated/unapproved software and maintain auditable software inventory for Windows and macOS endpoints.
- Limit local administrative rights needed to install services, LaunchDaemons, virtualization software, or persistent background components.
- Control and monitor virtualization software use; require business justification and alert on unauthorized VM creation or execution.
- Apply application control or approved-software enforcement where feasible for installers, scripting shells, service utilities, and virtualization components.
- Ensure endpoint hardening and logging cover macOS persistence mechanisms as well as Windows services.
Analyst notes and limits
The key decision value is coverage validation: LoudMiner’s official ATT&CK description is narrow, but its relationships show a cross-platform behavior chain involving untrusted software delivery, shell execution, persistence, hiding through virtualization, discovery, cleanup, and compute-resource abuse. This should inform managed detection use cases, IR collection plans, endpoint governance, and audit evidence around approved software and administrative control.
ATT&CK provides no official detection guidance, no aliases, no labels, and no object-level tactics for LoudMiner in the supplied fields. The assessment is based only on the official description, the ESET external reference, and ATT&CK relationship context. Local prevalence, exposure to pirated VST software, and actual monitoring coverage must be confirmed from the customer environment.
LoudMiner
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1057 | Process Discovery | LoudMiner used the |
| Enterprise | T1569.001 | Launchctl Sub-technique | LoudMiner launched the QEMU services in the |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | LoudMiner has obfuscated various scripts.CitationESET LoudMiner June 2019 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | LoudMiner has encrypted DMG files.CitationESET LoudMiner June 2019 |
| Enterprise | T1564.001 | Hidden Files and Directories Sub-technique | LoudMiner has set the attributes of the VirtualBox directory and VBoxVmService parent directory to "hidden".CitationESET LoudMiner June 2019 |
| Enterprise | T1059.004 | Unix Shell Sub-technique | LoudMiner used shell scripts to launch various services and to start/stop the QEMU virtualization.CitationESET LoudMiner June 2019 |
| Enterprise | T1543.004 | Launch Daemon Sub-technique | LoudMiner adds plist files with the naming format |
| Enterprise | T1496.001 | Compute Hijacking Sub-technique | LoudMiner harvested system resources to mine cryptocurrency, using XMRig to mine Monero.CitationESET LoudMiner June 2019 |
| Enterprise | T1543.003 | Windows Service Sub-technique | LoudMiner can automatically launch a Linux virtual machine as a service at startup if the AutoStart option is enabled in the VBoxVmService configuration file.CitationESET LoudMiner June 2019 |
| Enterprise | T1189 | Drive-by Compromise | LoudMiner is typically bundled with pirated copies of Virtual Studio Technology (VST) for Windows and macOS.CitationESET LoudMiner June 2019 |
| Enterprise | T1016 | System Network Configuration Discovery | LoudMiner used a script to gather the IP address of the infected machine before sending to the C2.CitationESET LoudMiner June 2019 |
| Enterprise | T1105 | Ingress Tool Transfer | LoudMiner used SCP to update the miner from the C2.CitationESET LoudMiner June 2019 |
| Enterprise | T1569.002 | Service Execution Sub-technique | LoudMiner started the cryptomining virtual machine as a service on the infected machine.CitationESET LoudMiner June 2019 |
| Enterprise | T1070.004 | File Deletion Sub-technique | LoudMiner deleted installation files after completion.CitationESET LoudMiner June 2019 |
| Enterprise | T1082 | System Information Discovery | LoudMiner has monitored CPU usage.CitationESET LoudMiner June 2019 |
| Enterprise | T1564.006 | Run Virtual Instance Sub-technique | LoudMiner has used QEMU and VirtualBox to run a Tiny Core Linux virtual machine, which runs XMRig and makes connections to the C2 server for updates.CitationESET LoudMiner June 2019 |
| Enterprise | T1218.007 | Msiexec Sub-technique | LoudMiner used an MSI installer to install the virtualization software.CitationESET LoudMiner June 2019 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | LoudMiner used a batch script to run the Linux virtual machine as a service.CitationESET LoudMiner June 2019 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.4 | Current bundle | 6a344fcf38f8… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET LoudMiner June 2019
Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020.
Open source URL -
[2]
mitre-attack S0451Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.