Researchers at AT&T have released details about a sophisticated cryptomining attack observed recently. Malicious attachments with a special emphasis on Mexican institutions and citizens were used as a lure to attract victims. 

Key takeaways

  • According to researchers, at least 100 different malware loaders were deployed in the four-stage attack chain process. This enabled the smooth download of miners and backdoors on the infected systems.
  • Unlike IoT malware strains that are used to reach the biggest number of infected devices, these attacks target victims through phishing emails.
  • This wide-scale use of malware loader, along with backdoors and miner malware, highlights the continuous evolution of attackers’ tactics and techniques to successfully deliver their payloads.

More insights

  • The attacks were first observed in April, with the loaders being delivered to the victims through an executable disguise like a spreadsheet.
  • A wide range of decoy documents, many of them associated with Mexican civilians, exam results, and dentist results were used to deliver payloads onto the victims’ systems. In some cases, Mexican governmental documents, Mexican social security numbers, and tax returns were also leveraged to execute the attack. 
  • Researchers note that since April, threat actors have changed names or variations of some executables for their own understanding. 


Researchers highlight that the cryptomining campaign first came to light in June due to the big number of loaders. It is still ongoing. Security teams can monitor the campaign by identifying IOCs provided in the list.  
Cyware Publisher