Blue Mockingbird (G0108): Persistent Cryptomining Threat
- Suspected Origin
- Unknown
- Motivation
- Financial Gain
- Aliases
- None documented
- Target Sectors
- Healthcare, IT Service Providers, Unspecified (enterprises with public-facing web servers)
- Associated Malware
- XMRIG, JuicyPotato, Mimikatz, frp, SSF, Venom, Cobalt Strike
Overview
Blue Mockingbird, tracked as G0108, represents a persistent and opportunistic cluster of activity primarily focused on deploying Monero cryptocurrency-mining payloads on Windows systems. Our earliest observations of this group’s tools date back to December 2019. This group’s primary motivation is financial gain through illicit cryptomining, leveraging compromised systems’ resources to generate Monero.
Blue Mockingbird typically targets public-facing web servers, particularly those running ASP.NET applications that utilize the Telerik UI framework. This approach allows them to cast a wide net, making victims out of a diverse array of enterprises, from healthcare organizations to IT service providers. While no specific country or state attribution has been identified, the group’s actions suggest a cybercrime-driven agenda rather than state-sponsored activity. Initial reports highlighted widespread infections across thousands of enterprise systems globally, with specific campaigns noted in regions like India.
Tactics & Techniques
Blue Mockingbird demonstrates a consistent and effective set of tactics, techniques, and procedures (TTPs) for gaining and maintaining access, escalating privileges, and achieving their cryptomining objectives.
Initial access is frequently achieved by exploiting public-facing web applications. A common vector is the deserialization vulnerability, CVE-2019-18935, found in Telerik UI for ASP.NET AJAX. Once this vulnerability is exploited, the adversary often deploys a web shell, which serves as their initial foothold on the compromised server.
Following initial access, Blue Mockingbird prioritizes privilege escalation to gain higher-level control over the system. They consistently employ the JuicyPotato technique to escalate privileges from an IIS Application Pool Identity virtual account to the more powerful NT Authority\SYSTEM account. This critical step allows them broader access and the ability to make significant system modifications.
For persistence, the group utilizes several robust mechanisms to ensure their malicious operations survive reboots and defender attempts at remediation. A notable technique is the COR_PROFILER COM hijack, which involves modifying Windows Registry entries and using wmic.exe to set environment variables. This ensures a malicious DLL executes whenever a .NET Common Language Runtime (CLR) process loads. They also establish persistence by configuring their XMRIG payloads as legitimate Windows Services and creating scheduled tasks, sometimes remotely using schtasks.exe /S. In some instances, they have been observed using mofcomp.exe to establish WMI Event Subscription persistence. Batch script files are often used to automate payload execution and deployment, and to modify existing services for persistence.
Defense evasion is built into their approach. Blue Mockingbird attempts to masquerade its XMRIG payload by naming it wercplsupporte.dll, closely resembling the legitimate wercplsupport.dll. They also obfuscate the Monero wallet address within their payload binaries. Security researchers note that many of Blue Mockingbird’s techniques are designed to bypass whitelisting technologies.
For credential access, the group has been observed using tools like Mimikatz to extract credentials from LSASS memory. They also perform discovery by collecting hardware details, including CPU and memory information, from victim systems.
Lateral movement is a key phase, as Blue Mockingbird aims to spread its mining operations across the enterprise. They commonly use the Remote Desktop Protocol (RDP) to access privileged systems and then leverage Windows Explorer to manually copy malicious files to remote hosts via SMB/Windows Admin Shares.
Execution of their cryptomining payloads is flexible. They use rundll32.exe to explicitly call DLL exports (such as fackaaxv), and regsvr32.exe with the /s option to execute custom-compiled XMRIG miner DLLs. In more recent activity, Blue Mockingbird has been seen deploying Cobalt Strike as a first-stage executable to run encoded PowerShell commands, indicating an evolution in their toolkit for initial execution and potentially broader post-compromise activities. They also use PowerShell reverse TCP shells to issue interactive commands over the network.
Command and control (C2) infrastructure shows some experimentation; the group has been observed using various proxy tools such as Fast Reverse Proxy (frp), Secure Socket Funneling (SSF), and Venom to establish SOCKS proxies for pivoting within compromised networks.
The impact of a Blue Mockingbird infection primarily revolves around the abuse of computing resources for Monero mining, leading to significant drains on system performance and increased electricity costs for affected organizations. Furthermore, their ability to establish a persistent foothold and deploy versatile tools like Cobalt Strike means there’s a latent risk of other malicious activities, such as data theft or ransomware, beyond their core cryptomining objective.
Notable Campaigns
Blue Mockingbird’s activity first came to widespread public attention following a detailed report by Red Canary in May 2020, which outlined the group’s operations observed since December 2019. These initial campaigns focused heavily on the exploitation of the Telerik UI vulnerability (CVE-2019-18935) to deploy XMRIG miners.
In July 2020, reports emerged of cryptomining campaigns in India targeting public-facing servers, which exhibited TTPs that strongly aligned with those used by Blue Mockingbird, suggesting a global reach and consistent methodology.
More recently, activity associated with Blue Mockingbird continued to be observed through 2020 and 2021, with a notable resurfacing in May 2022. During these later campaigns, the group was found to be not only deploying Monero cryptocurrency miners but also infecting targets with Cobalt Strike beacons, indicating an expansion of their post-exploitation capabilities and potential for more sophisticated follow-on attacks.
Associated Malware & Tools
Blue Mockingbird employs a mix of custom-compiled and publicly available tools to facilitate their operations:
- XMRIG: This open-source Monero cryptocurrency miner is the primary payload, often packaged as a DLL.
- JuicyPotato: A widely known tool used for privilege escalation, enabling the group to elevate privileges to NT Authority\SYSTEM.
- Mimikatz: Utilized for credential access, specifically to retrieve sensitive authentication material from LSASS memory.
- Web Shells: Deployed as an initial foothold after exploiting public-facing applications.
- Proxy Tools (frp, SSF, Venom): These tools, including Fast Reverse Proxy (frp), Secure Socket Funneling (SSF), and Venom, are used to establish SOCKS proxies for command and control and lateral movement within compromised networks.
- Cobalt Strike: More recent observations indicate the deployment of Cobalt Strike beacons, serving as a versatile tool for remote access, reconnaissance, and further payload execution.
- PowerShell Reverse TCP Shells: Used for interactive command execution over network connections.
Current Status
Blue Mockingbird remains an active threat. While initially identified in late 2019, reports from Red Canary and other security researchers indicate continued activity through 2020, 2021, and a resurgence of campaigns in May 2022. The group’s continued reliance on the CVE-2019-18935 vulnerability, alongside the addition of more sophisticated tools like Cobalt Strike, demonstrates their adaptive nature. The inclusion of Blue Mockingbird as an ongoing “activity cluster” in Red Canary’s 2025 Threat Detection Report further underscores that this group continues to be monitored as an active or recurring threat. Organizations with unpatched Telerik UI for ASP.NET AJAX installations remain particularly vulnerable to their opportunistic attacks.
Related content
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call