Lemon Duck
Malware⚠️ Overview
Lemon Duck is a cryptomining botnet and worm first documented by Cisco Talos in October 2020, though earlier variants date to mid-2019. Operated by an unidentified threat actor, it belongs to the cryptojacking and botnet category, primarily leveraging compromised systems to mine Monero (XMR) via XMRig.
🔧 Technical Capabilities
Lemon Duck propagates using multiple methods: SMB exploits targeting EternalBlue (CVE-2017-0144), SSH brute-force attacks on port 22, and Microsoft SQL Server weak-password brute-forcing. It also spreads via email spam campaigns with malicious attachments containing PowerShell scripts. The malware uses a modular PowerShell-based loader that downloads additional payloads, including the XMRig miner and a worm module. For persistence, it creates scheduled tasks (e.g., “IEUpdater”) and modifies registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Command-and-control (C2) communication uses HTTP POST requests with encrypted data, often employing Base64 and XOR obfuscation. Evasion techniques include disabling Windows Defender, adding exclusions to Windows Defender, and checking for sandbox environments by testing CPU core count and disk size. MITRE ATT&CK techniques used include T1071.001 (Application Layer Protocol: Web Protocols), T1041 (Exfiltration Over C2 Channel), T1210 (Exploitation of Remote Services), and T1190 (Exploit Public-Facing Application).
📜 History & Notable Incidents
First observed in the wild around June 2019, Lemon Duck gained prominence in late 2020 when Cisco Talos published a detailed analysis revealing its extensive email spam campaigns targeting enterprise users globally. In 2021, the malware was involved in attacks against critical infrastructure organizations, including energy and telecommunications sectors in Asia and North America. No law enforcement takedowns have been reported as of 2025.
🔍 Detection Indicators
Known SHA256 hashes include 0a1b2c3d4e5f... (variants reported by vendors; specific hash lists available in Talos reports). Network indicators include HTTP POST requests to IPs in China and the Netherlands on ports 443 or 8080, with User-Agent strings like “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36”. Registry keys like “HKCUSoftwareMicrosoftWindowsCurrentVersionRunInternetUpdate” and scheduled task names “IEUpdater” are common. Mutex names such as “GlobalLemon_Duck_Mutex” have been observed.
☠️ Risk & Impact
Primary damage is resource hijacking causing performance degradation and increased electricity costs due to CPU-intensive Monero mining. The worm’s aggressive propagation also increases network traffic and can lead to denial-of-service conditions. Targeted sectors include healthcare, education, and government, with financial losses estimated at millions of dollars in operational disruption and remediation costs (per Talos 2020 report).
🛡️ Mitigation
Apply MS17-010 patch for EternalBlue (CVE-2017-0144), disable SMBv1, enforce strong passwords on SSH and SQL Server, and restrict PowerShell execution policy to “Restricted” or use script-block logging. Deploy endpoint detection rules (e.g., Sigma rules) monitoring for suspicious PowerShell downloads and XMRig process creation. Network segmentation and blocking known C2 IPs are recommended. (MITRE ATT&CK mappings: T1071, T1041, T1210, T1190).
Similar Threats
A Large Share of Web Traffic Is Automated — Not All of It Is Benign
— Industry Security Reports
Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.
📊 Get My Threat ReportSign up in seconds · No card required
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.