Crackonosh virus mined $2 million of Monero from 222,000 hacked computers


Level 85
Thread author
Top poster
Content Creator
Malware Hunter
Aug 17, 2014
A previously undocumented Windows malware has infected over 222,000 systems worldwide since at least June 2018, yielding its developer no less than 9,000 Moneros ($2 million) in illegal profits.

Dubbed "Crackonosh," the malware is distributed via illegal, cracked copies of popular software, only to disable antivirus programs installed in the machine and install a coin miner package called XMRig for stealthily exploiting the infected host's resources to mine Monero.

At least 30 different versions of the malware executable have been discovered between Jan. 1, 2018, and Nov. 23, 2020, Czech cybersecurity software company Avast said on Thursday, with a majority of the victims located in the U.S., Brazil, India, Poland, and the Philippines.

Crackonosh works by replacing critical Windows system files such as serviceinstaller.msi and maintenance.vbs to cover its tracks and abuses the safe mode, which prevents antivirus software from working, to delete Windows Defender (and other installed solutions) and turn off automatic updates.

As part of its anti-detection and anti-forensics tactics, the malware also installs its own version of "MSASCuiL.exe" (i.e., Windows Defender), which puts the icon of Windows Security with a green tick to the system tray and runs tests to determine if it's running in a virtual machine.


Staff member
Malware Hunter
Jul 27, 2015
Interesting for sure, extra also because it shows that even AVs like Kaspersky, Bitdefender etc are absolutely powerless in the hands of a reckless user that almost for sure followed those normally very well created instructions that comes along with cracked games and software. Even the use of a SUA ( standard user account ) or turn up UAC to max, won't help. 🤷‍♂️


Level 7
Jul 21, 2017
A similar incident with a hacked python package for cryptomining: