Tangerine Turkey Cryptomining Worm Spreads Via USB Drives, Hides Payloads with VBScript and LOLBins

The Cybereason Security Services Team has exposed a stealthy, financially motivated campaign dubbed “Tangerine Turkey,” which uses VBScript-based worms to spread laterally through removable USB drives and deploy unauthorized cryptocurrency miners across compromised networks.

First identified in late 2024, Tangerine Turkey has since evolved into a globally active cryptomining operation, indiscriminately targeting organizations across industries.

As Cybereason notes, “Tangerine Turkey is a cryptomining campaign leveraging VBScript and batch files to gain persistence, evade defenses, and deploy coin-mining payloads across victim environments.” The threat actor’s activities suggest a focus on financial gain through illicit Monero (XMR) mining, achieved by abusing open-source software like XMRig.

While no evidence currently links the campaign to ransomware deployment, researchers warn that the group’s “ability to achieve persistence and move laterally poses broader security risks,” potentially paving the way for more destructive payloads in future intrusions

According to Cybereason’s endpoint detection telemetry, Tangerine Turkey spreads primarily through infected USB drives. When the removable media is connected, Windows automatically executes a malicious VBScript via wscript.exe, triggering the attack chain.

In one observed case, the removable drive was mounted as E:\rootdir\x817994.vbs. The script then launches cmd.exe to run a batch file (x966060.bat) that continues the infection sequence:

“The attack begins when wscript.exe executes a malicious VBScript located on the removal drive… This VBScript serves as the initial dropper, responsible for launching a secondary batch file by spawning cmd.exe.”

Cybereason highlights how Tangerine Turkey weaponizes legitimate Windows binaries (LOLBins) such as printui.exe, wscript.exe, and xcopy.exe to blend malicious activity with normal system operations.

The batch file abuses printui.exe to sideload a malicious library (svculdr64.dat) and uses xcopy.exe to replicate its components into a fake System32 directory, effectively masquerading as legitimate Windows files. To distract the victim, explorer.exe opens the “USB Drive” window, creating a false sense of routine activity.

Cybereason reports that the attackers also execute obfuscated PowerShell commands to disable security measures. The decoded command Add-MpPreference -ExclusionPath “C:\Windows\System32” adds Windows Defender exclusions for the System32 directory — a tactical defense evasion maneuver designed to blind antivirus monitoring.

To ensure long-term access, the malware establishes persistence via malicious Windows services and scheduled tasks. The attackers create a rogue service named x665422, pointing to a malicious DLL that runs under the legitimate svchost.exe process.

The final payload, console_zero.exe, is stored in the System32 directory and configured to run at every user logon with elevated privileges. The coin-mining executable uses XMRig to mine Monero (XMR), silently consuming system resources and degrading performance.

In an apparent attempt to erase forensic evidence, Tangerine Turkey attempts to delete staging artifacts and even tries to remove the Windows directory — though a path manipulation error prevents it from succeeding.

“The malware attempts cleanup operations by deleting the staging file svculdr64.dat and issuing a command to remove the Windows directory,” the report states, calling it an anti-analysis tactic designed to frustrate incident response efforts.

Related Posts:

• ThreatMon Revealed APT41’s Stealthy PowerShell Backdoor
• New LNK Malware Uses Windows LOLBins to Evade Detection
• Cybereason Uncovers Widespread Exploitation of Apache ActiveMQ Vulnerability
• The End of an Era: Microsoft Is Finally Killing VBScript
• T-Mobile pays a $500 million settlement after leaking data on about 50 million users