H2Miner Botnet Unleashes Lcrypt0rx: Flawed, AI-Generated Ransomware with Zero Detection Rates

A new investigation by the FortiCNAPP team, part of FortiGuard Labs, has revealed a disturbing evolution in the H2Miner botnet—a longstanding crypto-mining threat first identified in 2019. This time, it’s paired with a new ransomware variant called Lcrypt0rx, believed to have been generated using artificial intelligence.

The FortiCNAPP team traced recent malicious activity to a cluster of Virtual Private Servers (VPS) running Monero mining operations. These servers were linked to H2Miner, a crypto-mining botnet notorious for repurposing vulnerable systems to generate illicit cryptocurrency revenue.

What’s new? The infrastructure now includes Lcrypt0rx, a variant of the VBScript-based Lcryx ransomware family. “This is the first documented instance of operational overlap between H2miner and Lcryx,” FortiGuard researchers noted.

Lcrypt0rx is a technical oddity. Unlike mature ransomware strains, it displays numerous illogical behaviors and code errors. The FortiCNAPP team strongly suspects it was created using generative AI:

“Multiple functions are repeated throughout the script with no clear reason… The code includes syntax errors and malformed lines such as WshShell.RegWriteWshShell.RegWrite.”

Using tools like AI Code Detector and ZeroGPT, the researchers confirmed with 85–90% confidence that the script was AI-generated. But if Lcrypt0rx is a machine-made malware, it’s not a very smart one.

Highlights of its technical flaws include:

• Broken persistence mechanisms that fail due to missing execution context.
• Malformed TOR address in the ransom note that doesn’t comply with onion service specs.
• Incorrect attempts to disable Bitdefender and Kaspersky, attributed to “LLM hallucinations.”
• Absurd functionality like opening encrypted files in Notepad.

The infrastructure behind the campaign spans multiple VPS providers and leverages tools like Kinsing, Cobalt Strike, DCRat, and Lumma Stealer. Among the tactics used:

• Exploiting container environments by killing miner-related Docker images.
• Targeting cloud defenses, particularly Alibaba Cloud Security Center.
• Establishing persistence via cron jobs and shell scripts that clear logs to evade detection.

One PowerShell script (1.ps1) exemplifies this overlap between cryptojacking and ransomware:

“Notably, this XMRig miner is also deployed by the Lcrypt0rx ransomware variant.”

The Monero wallet associated with the mining operation was previously observed in H2Miner campaigns, indicating actor continuity.

Lcrypt0rx doesn’t just encrypt files. It actively disables user interfaces, locks keyboard input, reverses mouse buttons, and disrupts admin tools like Task Manager and Regedit. It even drops redundant VBScript and BAT files to maintain presence on the infected host—many of which attempt denial-of-service attacks or display ransom messages in loops.

The malware downloads a threatening image from krakenfiles.com and sets it as the desktop background. The ransom note, demanding $1,000 in Monero, is dropped in multiple folders but points to a broken TOR address.

“Combined with the use of simple XOR encryption, this makes recovery trivial through basic cryptanalysis,” FortiCNAPP explains.

Related Posts:

• Invisible Miners: Unveiling GHOSTENGINE’s Crypto Mining Operations
• FBI Warns of Generative AI’s Role in Amplifying Fraud Schemes
• Apple AI: Summarizing App Reviews, No More Scrolling
• AI-Generated Malware: TikTok Videos Push Infostealers with PowerShell Commands
• Google Search Unveils “Audio Overviews”: Listen to Search Results with AI-Powered Summaries