Microsoft Warns Of Strange Malware Targeting Windows, Linux

July 26, 2021

The LemonDuck crypto mining malware, which targets both Windows and Linux systems, spreads through phishing emails, exploits, USB devices, and brute force attacks, including attacks targeting critical on-premise Exchange Server vulnerabilities that were uncovered in March.

According to Microsoft, LemonDuck first hit China hard and has now spread to the U.S., Russia, Germany, the U.K., India, Korea, Canada, France and Vietnam. It mainly attacks computer systems in the manufacturing and IoT sectors.

LemonDuck uses automated tools to scan, detect and exploit servers before loading payloads such as the Cobalt Strike pen-testing kit – a lateral motion tool – and web shells, allowing malware to be installed in additional modules.

The group behind LemonDuck exploits high-profile security bugs by exploiting older vulnerabilities at a time when security teams are focused on fixing critical bugs and removing competing malware.

The group is said to be using Exchange bugs to mine for cryptocurrency in May, two years after it began operations.

LemonDuck got its name from the variable “Lemon _ Duck” in a PowerShell script that acts as a user agent to track compromised devices.

Vulnerabilities that could be considered for a first compromise include CVE-2017-0144 (EternalBlue), CVE-2017-8464 (LNK RCE), CVE-2019-0708 (BlueKeep), CVE-2020-0796 (SMBGhost), CVE-2021-26855 (ProxyLogon), CVE-2021-26857 (ProxyLogon), CVE-2021-26858 (ProxyLogon), and CVE-2021-27065 (ProxyLogon).

For more information, read the original story in ZDNet.

Top Stories

Related Articles

June 9, 2026 Hackers exploited Meta’s AI-powered support chatbot to gain control of Instagram accounts, including several high-profile profiles. Meta more...

June 5, 2026 Security researchers have disclosed a new denial-of-service attack called HTTP/2 Bomb that can overwhelm major web servers more...

May 20, 2026 The Cybersecurity and Infrastructure Security Agency, the arm of the U.S. government tasked with protecting critical infrastructure more...

May 11, 2026 Instructure has restored access to its Canvas learning platform after a cyberattack disrupted service for universities and more...

Picture of TND News Desk

TND News Desk

Staff writer for Tech Newsday.
Picture of TND News Desk

TND News Desk

Staff writer for Tech Newsday.

Jim Love

Jim is an author and podcast host with over 40 years in technology.

Share:
Facebook
Twitter
LinkedIn