Skip to content
July 18, 2026
  • Linkedin
  • Twitter
  • Facebook
  • Youtube

Daily CyberSecurity

Zero-hour alerts. Unmatched analysis.

Primary Menu
  • Home
  • CVE Data
    • CVE Watchtower
    • Top Exploited CVEs
    • CVE Stats by Vendor
    • Q2 2026 Report
  • Cyber Criminals
  • Data Leak
  • Linux
  • Malware
  • Vulnerability
  • Submit Press Release
  • Weekly Recap
Light/Dark Button
  • Home
  • News
  • Malware
  • New PyRoMine malware exploits NSA vulnerabilities to mine Monero
  • Malware

New PyRoMine malware exploits NSA vulnerabilities to mine Monero

Do Son April 27, 2018 4 minutes read
PyRoMine malware
Add Daily CyberSecurity as a preferred source on Google

The security company Fortinet posted in its blog post on Tuesday that their FortiGuard laboratory research team recently discovered a very destructive new type of malware. It will not only deploy the Monero Miner (XMRig) on infected Windows devices, but it will also disable the security features on Windows systems, which will undoubtedly cause infected devices to be exposed to other network threats. The reason why these malicious functions can be realized comes from the fact that it uses a security hole leaked by the National Security Agency (NSA)—Eternal Romance.

In 2016, a Shadow Brokers hacking group claimed to have succeeded in hacking another hacking organization associated with the US National Security Agency, the Equation Group, and leaking it from the organization. Some hacking tools and zero-day exploits.

On April 14, 2017, Shadow Brokers again released a series of “attack weapons” that included the EternalRomance vulnerability. Essentially, this is a Remote Code Execution (RCE) vulnerability that abuses the legacy SMBv1 file-sharing protocol and affects almost all versions of Windows systems, including Windows XP/Vista/8.1/7/10 and Windows Server 2003. /2008/2012/2016.

Having said this, we have to mention another NSA vulnerability, Eternal Blue, which is similar to EternalRomance and is also based on the Windows Network Sharing Protocol SMB. In general, file sharing on SMB is only used on the local network. Unfortunately, many organizations have exposed SMBv1 to the Internet, which is why WannaCry and NotPetya ransomware attacks based on these two loopholes can cause major economic losses to global companies.

We want to emphasize that whether it is EternalBlue or EternalRomance, Microsoft has released a fix for such vulnerabilities on March 14, 2017, through Security Bulletin MS17-010. In order to avoid becoming a victim of our own, it seems that we need to maintain timely security updates.

The malware discovered by FortiGuard Labs research team was named “PyRoMine”, a cryptocurrency mining malware developed based on the Python language.

This malware is considered extremely destructive because it has the ability to disable the system’s security features to bypass security detection and spread itself without the victim’s knowledge. Worse, it can also use Remote Desktop Protocol (RDP) on infected systems to open the door for further attacks.

Researchers said that they discovered PyRoMine through a malicious URL that can be downloaded as a zip file. This file contains an executable file compiled with PyInstaller. PyInstaller is a program that packages programs written in Python as separate executables, which means that you can execute Python programs without installing a Python environment on the affected device.

The EternalRomance exploit code used by the attacker came from the Exploit database site and they only partially modified it. But this is enough to enable them to complete PyRoMine’s self-propagation and gain SYSTEM authority.

The payload of the attack is downloaded from another malicious URL. This is a malicious VBScript script file named “agent.vbs” which downloads and starts the mining program (xmrigMiner32.zip or xmrigMiner64.zip) and the infected system. Make some settings.

Fortinet wrote in the blog post: “The malicious VBS file sets a default account with a password of ‘P@ssw0rdf0rme’ and adds this account to local groups ‘Administrators’, ‘Remote Desktop Users’ ‘and ‘Users’, then enable RDP and add firewall rules to allow traffic on RDP port 3389. In addition, it also disables the Windows Update service and starts the Remote Access Connection Manager service. Finally, it configures Windows Remote Manage services to enable basic authentication and allow the transmission of unencrypted data, which will undoubtedly cause infected devices to be exposed to other network threats.”

Researchers said they tracked the Monero coin wallet address used by the attacker. The attacker has collected about 2.4 Monero coins, worth about $650.

However, the researchers believe that this is only one of the addresses and there may be many other addresses. Therefore, at present, we cannot know how much profit the attacker has made so far.

In addition, the attacker is still improving PyRoMine, which may be to make more profits.

Related coverage

  • Crypto Clipboard Hijacker Hides Behind Fake Stars and Upvotes
  • The ‘Human Verification’ Trap: ClickFix Campaign Hijacks Trusted Sites to Deploy MIMICRAT
  • North Korea’s KONNI APT Hijacks Google Find Hub to Remotely Wipe and Track South Korean Android Devices
  • Leaked LockBit Tools: Novice Hackers Target Vulnerabilities
  • Phishing Alert: Cybercriminals Deploy SapphireRAT via Legal Notices
Track all actively exploited CVEs →

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee Logo Buy Me a Coffee PayPal
Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Share this article:

Facebook Post LinkedIn Telegram
Written by
@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.

Tags: PyRoMine malware

Search

Translation

CVE WATCHTOWER
🚨

Receive alerts for vulnerabilities being exploited in the wild.

⚡

Get notified instantly when a Proof of Concept (PoC) exploit is published.

🔍

Access critical info on vulnerabilities even when marked as "RESERVED".

🧠

Insights powered by decades of expertise and global intelligence sources.

🎯

Customize alerts with up to 10 keywords for your specific tech stack.

📊

Export the raw CVE database for SIEM integration and reporting.

Upgrade Package

🚨 Active Exploits in the Wild

  • CVE-2026-6875CVSS 9.5
    ServiceNow has addressed a remote code execution vulnerability that was identified in the ServiceNow AI platform. This vulnerability...
    Admin intel📅 Updated: Jul 18, 2026
  • CVE-2026-39808CVSS 9.8
    A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox...
    CISA KEV📅 Added to KEV: Jul 16, 2026
  • CVE-2026-25089CVSS 9.8
    A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox...
    CISA KEV📅 Added to KEV: Jul 16, 2026
  • CVE-2026-58644CVSS 9.8
    Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code over a network.
    CISA KEV📅 Added to KEV: Jul 16, 2026
  • CVE-2023-4346CVSS 7.5
    KNX devices that use KNX Connection Authorization and support Option 1 are, depending on the implementation, vulnerable to...
    CISA KEV📅 Added to KEV: Jul 15, 2026
  • CVE-2026-53362
    In the Linux kernel, the following vulnerability has been resolved: ipv6: account for fraggap on the paged allocation...
    Admin intel📅 Updated: Jul 14, 2026
  • CVE-2026-46242CVSS 7.8
    In the Linux kernel, the following vulnerability has been resolved: eventpoll: fix ep_remove struct eventpoll / struct file...
    Admin intel📅 Updated: Jul 14, 2026
  • CVE-2026-56155CVSS 7.8
    Insufficient granularity of access control in Active Directory Federation Services (AD FS) allows an authorized attacker to elevate...
    CISA KEV📅 Added to KEV: Jul 14, 2026
Powered by CVE Watchtower

🔴 Live Critical Threats

  • CVE-2026-16117CVSS 10.0
    Impact: @fastify/http-proxy versions up to and including 11.5.0 fail to rewrite the...
  • CVE-2026-47865CVSS 9.8
    VMware Avi Load Balancer contains an authentication bypass vulnerability. A malicious user...
  • CVE-2026-55518CVSS 9.6
    Avo is a framework to create admin panels for Ruby on Rails...
  • CVE-2026-54159CVSS 10.0
    PrestaShop ps_facetedsearch is a module that adds layered navigation filters. From 3.0.0...
  • CVE-2026-48062CVSS 9.8
    CodeIgniter is a PHP full-stack web framework. Prior to 4.7.3, the ext_in...
  • CVE-2026-13446CVSS 9.8
    IBM Langflow OSS 1.0.0 through 1.10.1 contains hard-coded credentials, such as a password...
  • CVE-2026-8859CVSS 9.9
    IBM Langflow OSS 1.0.0 through 1.10.0 Langflow could allow an attacker to...
  • CVE-2026-8635CVSS 9.9
    IBM Langflow OSS 1.0.0 through 1.10.0 allows authenticated users to escalate privileges...
  • CVE-2026-8505CVSS 9.8
    IBM Langflow OSS 1.0.0 through 1.10.0 has a vulnerability in Langflow's webhook...
  • CVE-2026-8476CVSS 9.9
    IBM Langflow OSS 1.0.0 through 1.10.0 contain a critical remote code execution...
Powered by CVE WATCHTOWER

Our Websites
  • Penetration Testing Tools
  • The Daily Information Technology
  • Top Exploited CVEs
  • Daily CyberSecurity

    • About SecurityOnline.info
    • Advertise with us
    • Announcement
    • Contact
    • Contributor Register
    • Login
    • Disclaimer
    • DCMA
    • Privacy Policy
    • About SecurityOnline.info
    • Advertise on SecurityOnline.info
    • Contact Us

    When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works

    • CVE Watchtower
    • CVE Statistics by Vendor 2026
    • Q2 2026 Report
    • Top Exploited CVEs
    • Linkedin
    • Twitter
    • Facebook
    • Youtube
    © 2017 - 2026 Daily CyberSecurity. All Rights Reserved.