1. Home
  2. Techniques
  3. Enterprise
  4. Resource Hijacking
  5. Compute Hijacking

Resource Hijacking: Compute Hijacking

ID Name
T1496.001 Compute Hijacking
T1496.002 Bandwidth Hijacking
T1496.003 SMS Pumping
T1496.004 Cloud Service Hijacking

Adversaries may leverage the compute resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability.

One common purpose for Compute Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive.[1] Servers and cloud-based systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Compute Hijacking and cryptocurrency mining.[2] Containerized environments may also be targeted due to the ease of deployment via exposed APIs and the potential for scaling mining activities by deploying or compromising multiple containers within an environment or cluster.[3][4]

Additionally, some cryptocurrency mining malware identify then kill off processes for competing malware to ensure it’s not competing for resources.[5]

ID: T1496.001
Sub-technique of:  T1496
Tactic: Impact
Platforms: Containers, IaaS, Linux, Windows, macOS
Impact Type: Availability
Version: 1.0
Created: 25 September 2024
Last Modified: 15 April 2025
Version Permalink

Procedure Examples

ID Name Description
G0096 APT41

APT41 deployed a Monero cryptocurrency mining tool in a victim’s environment.[6][7]
G0108 Blue Mockingbird

Blue Mockingbird has used XMRIG to mine cryptocurrency on victim systems.[8]
S0486 Bonadan

Bonadan can download an additional module which has a cryptocurrency mining extension.[9]
S0492 CookieMiner

CookieMiner has loaded coinmining software onto systems to mine for Koto cryptocurrency. [10]
S1111 DarkGate

DarkGate can deploy follow-on cryptocurrency mining payloads.[11]
S0601 Hildegard

Hildegard has used xmrig to mine cryptocurrency.[3]
S0434 Imminent Monitor

Imminent Monitor has the capability to run a cryptocurrency miner on the victim machine.[12]
S0599 Kinsing

Kinsing has created and run a Bitcoin cryptocurrency miner.[13][14]
S0451 LoudMiner

LoudMiner harvested system resources to mine cryptocurrency, using XMRig to mine Monero.[15]

S0532 Lucifer

Lucifer can use system resources to mine cryptocurrency, dropping XMRig to mine Monero.[16]
G0106 Rocke

Rocke has distributed cryptomining malware.[17][18]
C0045 ShadowRay

During ShadowRay, threat actors leveraged graphics processing units (GPU) on compromised nodes for cryptocurrency mining.[19]
S0468 Skidmap

Skidmap is a kernel-mode rootkit used for cryptocurrency mining.[20]
G0139 TeamTNT

TeamTNT has deployed XMRig Docker images to mine cryptocurrency.[21][22] TeamTNT has also infected Docker containers and Kubernetes clusters with XMRig, and used RainbowMiner and lolMiner for mining cryptocurrency.[23]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0540 Multi-Platform Behavioral Detection for Compute Hijacking AN1489

Sustained execution of resource-intensive processes (e.g., cryptocurrency miners), often launched via scheduled tasks, WMI, or PowerShell. These processes frequently establish persistent external connections and attempt to evade detection using masqueraded or renamed binaries.
AN1490

Unusual long-running processes consuming high CPU cycles (e.g., via 'top' or 'ps') initiated via cron, shell scripts, or Docker. Connections to known mining pools or DNS over HTTPS usage as evasion.
AN1491

Persistent or background daemons (e.g., plist or launchd jobs) spawning high-CPU processes like xmrig or cpuminer. Outbound encrypted traffic to IPs/domains commonly used by mining proxies.
AN1492

Ephemeral or unauthorized container instantiation using public images (e.g., from DockerHub) that initiate high CPU usage shortly after startup. Often scheduled via Kubernetes or Docker socket abuse.
AN1493

Unauthorized instance creation in unmonitored or unused regions. Burst of compute-intensive jobs in spot instances or sudden spike in resource usage in legitimate VMs.

References

  1. GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April 17, 2019.
  2. CloudSploit. (2019, June 8). The Danger of Unused AWS Regions. Retrieved October 8, 2019.
  3. Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.
  4. Oliveira, A. (2019, May 30). Infected Containers Target Docker via Exposed APIs. Retrieved April 6, 2021.
  5. Oliveira, A., Fiser, D. (2020, September 10). War of Linux Cryptocurrency Miners: A Battle for Resources. Retrieved April 6, 2021.
  6. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  7. Mandiant. (n.d.). APT41, A DUAL ESPIONAGE AND CYBER CRIME OPERATION. Retrieved June 11, 2024.
  8. Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020.
  9. Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020.
  10. Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020.
  11. Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024.
  12. Unit 42. (2019, December 2). Imminent Monitor – a RAT Down Under. Retrieved May 5, 2020.
  1. Singer, G. (2020, April 3). Threat Alert: Kinsing Malware Attacks Targeting Container Environments. Retrieved April 1, 2021.
  2. Huang, K. (2020, November 23). Zoom into Kinsing. Retrieved April 1, 2021.
  3. Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020.
  4. Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020.
  5. Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020.
  6. Xingyu, J.. (2019, January 17). Malware Used by Rocke Group Evolves to Evade Detection by Cloud Security Products. Retrieved May 26, 2020.
  7. Lumelsly, A. et al. (2024, March 26). ShadowRay: First Known Attack Campaign Targeting AI Workloads Actively Exploited In The Wild. Retrieved December 2, 2024.
  8. Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020.
  9. Stroud, J. (2021, May 25). Taking TeamTNT's Docker Images Offline. Retrieved September 16, 2024.
  10. Cado Security. (2020, August 16). Team TNT – The First Crypto-Mining Worm to Steal AWS Credentials. Retrieved September 22, 2021.
  11. Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022.