Malicious actors are attempting to infect computers running Tiny Core Linux virtual machines with an XMRig-based cryptominer that’s being bundled with pirated copies of Virtual Studio Technology (VST) software applications. Dubbed LoudMiner, the Monero-mining software first appeared in August 2018, and works by abusing virtualization software – QEMU on macOS machines and VirtualBox on Windows devices. Each of these apps are bundled with virtualization software; a Linux image identified as Tiny Core Linux 9.0, configured to run SMRig; and additional files that allow the malware to achieve persistence so that they can survive reboot and immediately relaunch. “Moreover, the decision to use virtual machines instead of a leaner solution is quite remarkable and this is not something we routinely see.” The researchers have uncovered four different versions of LoudMiner – three for macOS and one for Windows. The three macOS versions all come with QEMU Linux images, shell scripts used to launch these images, and daemons for starting the shell scripts and keeping them running.