user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat PUA:Linux/CoinMiner.K
PUA:Linux/CoinMiner.K - Windows Defender threat signature analysis

PUA:Linux/CoinMiner.K - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: PUA:Linux/CoinMiner.K
Classification:
Type:PUA
Platform:Linux
Family:CoinMiner
Detection Type:Concrete
Known malware family with identified signatures
Variant:K
Specific signature variant within the malware family
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: PUA for Linux platform, family CoinMiner

Summary:

PUA:Linux/CoinMiner.K is a cryptocurrency miner designed to covertly exploit the CPU resources of Linux systems for unauthorized Monero mining. It leverages standard mining protocols and pools like NiceHash, with associated Windows-specific strings indicating a potential multi-platform attack or a Windows-based dropper component deploying the Linux miner.

Severity:
Critical
VDM Static Detection:
Relevant strings associated with this threat:
 - tracking.huijang.com/api.php (PEHSTR_EXT)
 - nvsrvc32.exe (PEHSTR_EXT)
 - realsched.exe (PEHSTR_EXT)
 - jusched.exe (PEHSTR_EXT)
 - mcshield.exe (PEHSTR_EXT)
 - %s://%s%s%s:%hu%s%s%s (PEHSTR_EXT)
 - WindowsSecurityService.pdb (PEHSTR_EXT)
 - xai830k.com (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - InvokeV (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - WH_KEYBOARD (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
YARA Rule:
rule PUA_Linux_CoinMiner_K_305478_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "PUA:Linux/CoinMiner.K"
        threat_id = "305478"
        type = "PUA"
        platform = "Linux: Linux platform"
        family = "CoinMiner"
        severity = "Critical"
        signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
        threshold = "4"
        strings_accuracy = "Low"
    strings:
        $x_1_1 = "proc/cpuinfo" ascii //weight: 1
        $x_1_2 = "max-cpu-usage" ascii //weight: 1
        $x_2_3 = "stratum+tcp://" ascii //weight: 2
        $x_2_4 = "nicehash.com" ascii //weight: 2
        $x_2_5 = {6d 69 6e 65 78 6d 72 2e [0-3] 3a}  //weight: 2, accuracy: Low
        $x_2_6 = "Try `minerd --help" ascii //weight: 2
    condition:
        (filesize < 20MB) and
        (
            ((1 of ($x_2_*) and 2 of ($x_1_*))) or
            ((2 of ($x_2_*))) or
            (all of ($x*))
        )
}
Known malware which is associated with this threat:
Filename: docker-cache
e03cf2af46ad1fe590e63f0020243c6e8ae94f074e65ace18c6d568283343dac
09/01/2026
VirusTotalDownload Sample
Remediation Steps:
Isolate the affected Linux system, then identify and remove the coin miner executable and its persistence mechanisms (e.g., cron jobs, systemd services). Patch all operating system and software vulnerabilities and enhance security configurations to prevent future compromise.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 09/01/2026. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$