Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1496.001: Compute Hijacking

Adversaries may leverage the compute resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability.

One common purpose for Compute Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive.[1] Servers and cloud-based systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Compute Hijacking and cryptocurrency mining.[2] Containerized environments may also be targeted due to the ease of deployment via exposed APIs and the potential for scaling mining activities by deploying or compromising multiple containers within an environment or cluster.[3][4]

Additionally, some cryptocurrency mining malware identify then kill off processes for competing malware to ensure it’s not competing for resources.[5]

EnterpriseT1496.001Sub-techniqueObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Compute Hijacking is the abuse of an organization’s endpoints, servers, cloud workloads, or containers to run resource-intensive activity such as cryptocurrency mining. The business issue is not only “malware on a host”; it is degraded availability, unexpected cloud consumption, noisy infrastructure, and possible evidence of broader compromise in environments that support production services.

Executive priority

Prioritize this behavior where compute capacity directly affects customer-facing services, cloud spend, research/AI workloads, container platforms, or regulated operations that require availability evidence. Leaders should ask whether teams can quickly distinguish legitimate high CPU/cloud scaling from unauthorized resource use, whether unused cloud regions and exposed container APIs are governed, and whether incident response plans include cost containment and service restoration decisions.

Technical view

ATT&CK lists this sub-technique under Impact and applies it to Windows, Linux, macOS, IaaS, and Containers. There is no official ATT&CK detection text for this object, but the relationship to DET0540 indicates a multi-platform behavioral detection strategy exists. SOC and IR teams should validate behavior-based coverage across hosts, cloud accounts, and container clusters for abnormal sustained compute use, unexpected miner-like processes or containers, unauthorized deployments, and process-killing behavior that may target competing malware. Relationship context includes campaigns, groups, and software observed using this behavior, including ShadowRay, APT41, Rocke, Blue Mockingbird, TeamTNT, Imminent Monitor, LoudMiner, Skidmap, Bonadan, CookieMiner, Lucifer, Kinsing, Hildegard, and DarkGate; use that context for threat-informed testing without assuming local exposure.

Likely telemetry

  • Host process creation and command-line metadata on Windows, Linux, and macOS
  • CPU, memory, and workload performance metrics from endpoints and servers
  • Cloud/IaaS usage, billing, region, and instance activity logs
  • Container runtime, Kubernetes, kubelet, API server, pod, and image deployment logs where applicable
  • Network connections from workloads to cryptocurrency-related infrastructure when locally defined by threat intelligence

Detection direction

  • Because ATT&CK provides no official detection text, validate local detections against behavior: sustained abnormal compute consumption, unexpected processes or containers, unauthorized cloud region activity, and unexplained service degradation.
  • Tune analytics to reduce false positives from legitimate batch jobs, AI/ML training, software builds, backup/indexing jobs, and approved autoscaling activity.
  • Correlate performance anomalies with identity, deployment, and configuration events so alerts do not rely only on high CPU thresholds.
  • For containers and IaaS, verify visibility into exposed APIs, cluster-level deployments, cloud regions not normally used, and rapid replication of workloads.
  • Use relationship-driven context to test for Windows, Linux, macOS, IaaS, and container coverage, but do not treat listed groups or software as evidence of intrusion without local indicators.

Mitigation priorities

  • Establish baseline compute usage and approved high-intensity workloads for endpoints, servers, cloud accounts, and container clusters.
  • Restrict and monitor cloud regions, container APIs, kubelet access, and deployment permissions according to business need.
  • Harden exposed container and cloud management interfaces and review misconfiguration paths that could enable unauthorized workload deployment.
  • Implement cost, quota, and anomaly monitoring so resource abuse triggers both security and finance/operations review.
  • Prepare IR playbooks for containment that include stopping unauthorized workloads, preserving evidence, rotating affected credentials where warranted by investigation, and restoring service capacity.
Analyst notes and limits

This object is a sub-technique of T1496 Resource Hijacking and is focused on compute resource abuse. The supplied relationships show broad relevance across endpoint, cloud, and container environments, with several related software and group examples. The most useful defensive decision is whether the organization has telemetry that connects compute anomalies to identity, deployment, and workload provenance.

Official MITRE detection guidance is not provided for this object, so the detection direction is inferred from the official description, platforms, tactic, external references, and the DET0540 relationship. Local baselines, approved workload inventory, cloud architecture, and container exposure are required to determine material risk and detection quality.

Official MITRE ATT&CK definition

Compute Hijacking

Adversaries may leverage the compute resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability.

One common purpose for Compute Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive.[1] Servers and cloud-based systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Compute Hijacking and cryptocurrency mining.[2] Containerized environments may also be targeted due to the ease of deployment via exposed APIs and the potential for scaling mining activities by deploying or compromising multiple containers within an environment or cluster.[3][4]

Additionally, some cryptocurrency mining malware identify then kill off processes for competing malware to ensure it’s not competing for resources.[5]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1496 Resource Hijacking This object subtechnique of Resource Hijacking.
Associated objects

Groups, software, and campaigns

Group Enterprise

G0106: Rocke

Rocke is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency. The name Rocke comes from the email address "rocke@live.cn" used to create the wallet which held collected cryptocurrency. Researchers have detected overlaps between Rocke and the Iron Cybercrime Group, though this attribution has not been confirmed.[1]

Group Enterprise

G0108: Blue Mockingbird

Blue Mockingbird is a cluster of observed activity involving Monero cryptocurrency-mining payloads in dynamic-link library (DLL) form on Windows systems. The earliest observed Blue Mockingbird tools were created in December 2019.[1]

Group Enterprise

G0139: TeamTNT

TeamTNT is a threat group that has primarily targeted cloud and containerized environments. The group as been active since at least October 2019 and has mainly focused its efforts on leveraging cloud and container resources to deploy cryptocurrency miners in victim environments.[1][2][3][4][5][6][7][8][9]

Group Enterprise

G0096: APT41

APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries.[1] Notable behaviors include using a wide range of malware and tools to complete mission objectives. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.[2][3]

Malware Enterprise

S0532: Lucifer

Lucifer is a crypto miner and DDoS hybrid malware that leverages well-known exploits to spread laterally on Windows platforms.[1]

Windows
Malware Enterprise

S0492: CookieMiner

CookieMiner is mac-based malware that targets information associated with cryptocurrency exchanges as well as enabling cryptocurrency mining on the victim system itself. It was first discovered in the wild in 2019.[1]

macOS
Malware Enterprise

S0486: Bonadan

Bonadan is a malicious version of OpenSSH which acts as a custom backdoor. Bonadan has been active since at least 2018 and combines a new cryptocurrency-mining module with the same credential-stealing module used by the Onderon family of backdoors.[1]

Linux
Malware Enterprise

S0451: LoudMiner

LoudMiner is a cryptocurrency miner which uses virtualization software to siphon system resources. The miner has been bundled with pirated copies of Virtual Studio Technology (VST) for Windows and macOS.[1]

macOSWindows
Malware Enterprise

S1111: DarkGate

DarkGate first emerged in 2018 and has evolved into an initial access and data gathering tool associated with various criminal cyber operations. Written in Delphi and named "DarkGate" by its author, DarkGate is associated with credential theft, cryptomining, cryptotheft, and pre-ransomware actions.[1] DarkGate use increased significantly starting in 2022 and is under active development by its author, who provides it as a Malware-as-a-Service offering.[2]

Windows
Tool Enterprise

S0434: Imminent Monitor

Imminent Monitor was a commodity remote access tool (RAT) offered for sale from 2012 until 2019, when an operation was conducted to take down the Imminent Monitor infrastructure. Various cracked versions and variations of this RAT are still in circulation.[1]

Windows
Malware Enterprise

S0601: Hildegard

Hildegard is malware that targets misconfigured kubelets for initial access and runs cryptocurrency miner operations. The malware was first observed in January 2021. The TeamTNT activity group is believed to be behind Hildegard. [1]

LinuxContainersIaaS
Malware Enterprise

S0599: Kinsing

Kinsing is Golang-based malware that runs a cryptocurrency miner and attempts to spread itself to other hosts in the victim environment. [1][2][3]

ContainersLinux
Campaign Enterprise

C0045: ShadowRay

ShadowRay was a campaign that began in late 2023 targeting the education, cryptocurrency, biopharma, and other sectors through a vulnerability (CVE-2023-48022) in the Ray AI framework named ShadowRay. According to security researchers ShadowRay was the first known instance of AI workloads being activley exploited in the wild through vulnerabilities in AI infrastructure. CVE-2023-48022, which allows access to compute resources and sensitive data for exposed instances, remains unpatched and has been disputed by the vendor as they maintain that Ray is not intended for use outside of a strictly controlled network environment.[1]

Relationship explorer

All related ATT&CK context

uses · Malware S0532: Lucifer Enterprise uses · Malware S0468: Skidmap Enterprise subtechnique of · Technique T1496: Resource Hijacking Enterprise uses · Malware S0492: CookieMiner Enterprise uses · Group G0106: Rocke Enterprise uses · Malware S0486: Bonadan Enterprise uses · Malware S0451: LoudMiner Enterprise uses · Malware S1111: DarkGate Enterprise uses · Group G0108: Blue Mockingbird Enterprise uses · Tool S0434: Imminent Monitor Enterprise uses · Group G0139: TeamTNT Enterprise detects · Detection Strategy DET0540: Multi-Platform Behavioral Detection for Compute Hijacking Enterprise uses · Group G0096: APT41 Enterprise uses · Malware S0601: Hildegard Enterprise uses · Campaign C0045: ShadowRay Enterprise uses · Malware S0599: Kinsing Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
f85446cbaffe64ba...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle f85446cbaffe…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Kaspersky Lazarus Under The Hood Blog 2017

    GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April 17, 2019.

    Open source URL
  2. [2]
    CloudSploit - Unused AWS Regions

    CloudSploit. (2019, June 8). The Danger of Unused AWS Regions. Retrieved October 8, 2019.

    Open source URL
  3. [3]
    Unit 42 Hildegard Malware

    Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.

    Open source URL
  4. [4]
    Trend Micro Exposed Docker APIs

    Oliveira, A. (2019, May 30). Infected Containers Target Docker via Exposed APIs. Retrieved April 6, 2021.

    Open source URL
  5. [5]
    Trend Micro War of Crypto Miners

    Oliveira, A., Fiser, D. (2020, September 10). War of Linux Cryptocurrency Miners: A Battle for Resources. Retrieved April 6, 2021.

    Open source URL
  6. [6]
    mitre-attack T1496.001
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use