Some of the final payloads overlap with previously-reported threats, such as #Truebot (#downloader, often linked to Cl0p #ransomware), #Buhti (ransomware), #MoneroOcean (a #coinminer, discussed here: https://news.sophos.com/en-us/2021/12/02/two-flavors-of-tor2mine-miner-dig-deep-into-networks-with-powershell-vbscript/), and #Mirai (a #botnet #worm).

One such example of a #miner, shown in the screenshot below, details the commands to terminate the processes and services used by other, competing malicious miners before launching their own #Monero (#XMR) mining software. This cynical form of 'capture the flag' is commonplace behavior among the threat actor groups who deploy and maintain hostile miners.

5/6