{"id":43918,"date":"2021-11-15T00:00:00","date_gmt":"2021-11-15T00:00:00","guid":{"rendered":"urn:uuid:58ecee94-fb14-ebe1-ef07-02c977c99ba0"},"modified":"2021-11-15T00:00:00","modified_gmt":"2021-11-15T00:00:00","slug":"groups-target-alibaba-ecs-instances-for-cryptojacking","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/groups-target-alibaba-ecs-instances-for-cryptojacking\/","title":{"rendered":"Groups Target Alibaba ECS Instances for Cryptojacking"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/k\/groups-target-alibaba-ecs-instances-for-cryptojacking\/cover-groups-target-alibaba-ecs-cryptojacking-641.jpg\"><!-- Begin mPulse library --><!-- END mPulse library --> <head> <meta charset=\"UTF-8\"> <meta name=\"viewport\" content=\"width=device-width\"> <meta name=\"description\" content=\"We looked at how some malicious groups disable features in Alibaba Cloud ECS instances for illicit mining of Monero.\"> <meta name=\"robots\" content=\"index,follow\"> <meta name=\"keywords\" content=\"cloud,malware,exploits &amp; vulnerabilities,articles, news, reports,privacy &amp; risks,cyber threats,cyber crime\"> <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge,chrome=1\"> <meta name=\"template\" content=\"article1withouthero\"> <meta property=\"article:published_time\" content=\"2021-11-15\"> <meta property=\"article:tag\" content=\"cloud\"> <meta property=\"article:section\"> <link rel=\"icon\" type=\"image\/ico\" href=\"\/content\/dam\/trendmicro\/favicon.ico\"> <link rel=\"canonical\" href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/k\/groups-target-alibaba-ecs-instances-for-cryptojacking.html\"> <title>Groups Target Alibaba ECS Instances for Cryptojacking<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/k\/groups-target-alibaba-ecs-instances-for-cryptojacking.html\"><br \/>\n<meta property=\"og:title\" content=\"Groups Target Alibaba ECS Instances for Cryptojacking\"><br \/>\n<meta property=\"og:description\" content=\"We looked at how some malicious groups disable features in Alibaba Cloud ECS instances for illicit mining of Monero.\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/k\/groups-target-alibaba-ecs-instances-for-cryptojacking\/cover-groups-target-alibaba-ecs-cryptojacking-641.jpg\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Groups Target Alibaba ECS Instances for Cryptojacking\"><br \/>\n<meta name=\"twitter:description\" content=\"We looked at how some malicious groups disable features in Alibaba Cloud ECS instances for illicit mining of Monero.\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/k\/groups-target-alibaba-ecs-instances-for-cryptojacking\/cover-groups-target-alibaba-ecs-cryptojacking-641.jpg\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"50.521801975428\"> <!-- Page Scroll: Back to Top --> <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a> <!-- \/* Data Layer *\/ --> <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"1738255489\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"8.220802919708\">\n<div class=\"article-details\" role=\"heading\" readability=\"35.784671532847\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Cloud<\/p>\n<p class=\"article-details__description\">We looked at how some malicious groups disable features in Alibaba Cloud ECS instances for illicit mining of Monero.<\/p>\n<p class=\"article-details__author-by\">By: David Fiser, Alfredo Oliveira <time class=\"article-details__date\">November 15, 2021<\/time> <span>Read time:&nbsp;<\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-md-8 col-md-push-2\"> <\/p>\n<div class=\"richText\" readability=\"43.870591427021\">\n<div readability=\"34.710797612588\">\n<p>It\u2019s been known that threat actors are actively exploiting misconfigured Linux-powered servers, regardless of whether they run on-premises or in the cloud. The <a href=\"https:\/\/www.trendmicro.com\/vinfo\/\/tmr\/?\/us\/security\/news\/cybercrime-and-digital-threats\/a-look-at-linux-threats-risks-and-recommendations\">compromised<\/a> devices are mostly used for <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/20\/i\/war-of-linux-cryptocurrency-miners-a-battle-for-resources.html\">cryptojacking purposes<\/a> with the dominance of mining for the digital currency Monero. One notorious <a href=\"https:\/\/www.trendmicro.com\/vinfo\/\/tmr\/?\/us\/security\/news\/cybercrime-and-digital-threats\/teamtnt-activities-probed\">example<\/a> is TeamTNT, one of the first hacking groups shifting its focus to cloud-oriented services.<\/p>\n<p>The cryptojacking battlefield is shared by multiple threat actors such as <a href=\"https:\/\/www.trendmicro.com\/en_ph\/research\/20\/k\/analysis-of-kinsing-malwares-use-of-rootkit.html\">Kinsing<\/a> and TeamTNT, among others. Two common characteristics that they share in their code is to remove competing actors who are also mining for cryptocurrency and disable security features found in the victim machine. This provides them <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/20\/i\/war-of-linux-cryptocurrency-miners-a-battle-for-resources.html\">an advantage<\/a> over the hijacked resources, such as the <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/j\/actors-target-huawei-cloud-using-upgraded-linux-malware-.html#.YWB25boLh44.twitter\">example<\/a> of an advanced system sanitation that we identified targeting Huawei Cloud.<\/p>\n<p>In this article, we focus on one common functionality that we found among multiple payloads: the disabling of features inside the Alibaba cloud service provider (CSP). We also look at possible reasons that multiple threat actors and malware routines focused on Alibaba Cloud (also known as Aliyun) and the implications of these illicit mining activities on Alibaba Cloud users.<\/p>\n<p>We have reached out to the Alibaba Cloud Team through their listed contact information prior to the publication of this blog, and we are waiting for their response with regard to this concern.<\/p>\n<p><span class=\"body-subhead-title\">Looking into Alibaba ECS<\/span><\/p>\n<p>Alibaba Elastic Computing Service (ECS) instances come with a preinstalled security agent. As a result, the threat actors try to uninstall it upon compromise. This is no surprise as we have seen similar payloads in the past. However, this time we found a specific code in the malware creating firewall rules to drop incoming packets from IP ranges belonging to internal Alibaba zones and regions.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/k\/groups-target-alibaba-ecs-instances-for-cryptojacking\/figure1-groups-target-alibaba-cloud-cryptojacking.jpg\" alt=\"figure1-groups-target-alibaba-ecs-instances-for-cryptojacking\"><figcaption>Figure 1. One sample of an Alibaba EC instance with the specific malicious code creating firewall rules<\/figcaption><\/figure>\n<\/p><\/div>\n<div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/k\/groups-target-alibaba-ecs-instances-for-cryptojacking\/figure2-groups-target-alibaba-cloud-cryptojacking.jpg\" alt=\"figure2-groups-target-alibaba-ecs-instances-for-cryptojacking\"><figcaption>Figure 2. Disabling the Alibaba security agent<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"37.5\">\n<div readability=\"20\">\n<p>In addition, the default Alibaba ECS instance provides root access. While other CSPs provide different options ranging from the least privileged ones \u2014 such as not allowing Secure Shell (SSH) authentication over user and password and only allowing asymmetric cryptography authentication \u2014 other CSPs do not allow the user to log in via SSH directly by default, so a less privileged user is required.<\/p>\n<p>For instance, if the login secrets are leaked, having low-privilege access would require attackers enhanced effort to escalate the privileges. With Alibaba, however, all users have the option to give a password straight to the root user inside the virtual machine (VM).&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/k\/groups-target-alibaba-ecs-instances-for-cryptojacking\/figure3-groups-target-alibaba-cloud-cryptojacking.png\" alt=\"figure3-groups-target-alibaba-ecs-instances-for-cryptojacking\"><figcaption>Figure 3. Root permissions on a default ECS instance<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"38.5\">\n<div readability=\"22\">\n<p>Security-wise, this is in contradiction with the <b>principle of least privilege,<\/b> and it should be emphasized that this is the <b>responsibility of the user<\/b> for a secure configuration. We <b>highly recommend<\/b> creating <b>a less privileged user<\/b> for running applications and services within the ECS instance.<\/p>\n<p>In this situation, the threat actor has the highest possible privilege upon compromise, including vulnerability exploitation, any misconfiguration issue, weak credentials or data leakage. Thus, advanced payloads such as kernel module rootkits and achieving persistence via running system services can be deployed. Given this feature, it comes as no surprise that multiple threat actors target Alibaba Cloud ECS simply by inserting a code snippet for removing software found only in Alibaba ECS.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/k\/groups-target-alibaba-ecs-instances-for-cryptojacking\/figure4-groups-target-alibaba-cloud-cryptojacking.png\" alt=\"figure4-groups-target-alibaba-ecs-instances-for-cryptojacking\"><figcaption>Figure 4. A diamorphine deployment as an example of high-privilege abuse<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.981194690265\">\n<div readability=\"11.814159292035\">\n<p><span class=\"body-subhead-title\">Cryptojacking Aliyun<\/span><\/p>\n<p>When a cryptojacking malware is running inside Alibaba ECS, the security agent installed will send a notification of a malicious script running. It then becomes the responsibility of the user to stop the ongoing infection and malicious activities. Alibaba Cloud Security provides <a href=\"https:\/\/www.alibabacloud.com\/help\/faq-detail\/41206.htm?spm=a2c63.q38357.a3.9.345c54ff6EWeD8\">a guide<\/a> on how to do this. More importantly, it is always the responsibility of the user to prevent this infection from happening in the first place.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/k\/groups-target-alibaba-ecs-instances-for-cryptojacking\/figure5-groups-target-alibaba-cloud-cryptojacking.png\" alt=\"figure5-groups-target-alibaba-ecs-instances-for-cryptojacking\"><figcaption>Figure 5. An example of cryptojacking malware<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"37.597173144876\">\n<div readability=\"20.777385159011\">\n<p>Despite detection, the security agent fails to clean the running compromise and gets disabled. Looking at another malware sample shows that the security agent was also uninstalled before it could trigger an alert for compromise. The samples then proceeded to install an XMRig. Examining the samples further shows that the cryptominer can easily be replaced with another malware to execute in the environment.<\/p>\n<p>It is also important to note that Alibaba ECS has an <a href=\"https:\/\/www.alibabacloud.com\/help\/product\/25855.htm\">auto scaling<\/a> feature, wherein users and organizations can enable the service to automatically adjust computing resources based on the volume of user requests. When the demand increases, auto scaling allows the ECS instances to serve the said requests according to the enumerated policies. While the feature is given to subscribers at no extra cost, the increase in resource usage prompts the additional charges. By the time the billing arrives to the unwitting organization or user, the cryptominer has likely already incurred additional costs. Additionally, the legitimate subscribers have to manually remove the infection to clean the infrastructure of the compromise.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/k\/groups-target-alibaba-ecs-instances-for-cryptojacking\/figure6-groups-target-alibaba-cloud-cryptojacking.png\" alt=\"figure6-groups-target-alibaba-ecs-instances-for-cryptojacking\"><figcaption>Figure 6. An example of a security agent uninstallation routine used by the malware<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.018707482993\">\n<div readability=\"11.469387755102\">\n<p>The samples our team acquired can be tied to campaigns targeting Alibaba, and we found these samples sharing common traits, functions, and functionalities with other campaigns that also target CSPs in Asia such as Huawei Cloud. There have also been <a href=\"https:\/\/threatpost.com\/cryptomining-malware-uninstalls-cloud-security-products\/140959\/\">other reports<\/a> of these compromise detections.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/k\/groups-target-alibaba-ecs-instances-for-cryptojacking\/figure7-groups-target-alibaba-cloud-cryptojacking.png\" alt=\"figure7-groups-target-alibaba-ecs-instances-for-cryptojacking\"><figcaption>Figure 7. Comparing samples of compromised Alibaba Cloud (left) and Huawei Cloud (right).<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"43.193030719853\">\n<div readability=\"32.39477303989\">\n<p>The samples from both campaigns share common traits, especially when it comes to removing \u201cadversaries\u201d and setting up the environment for next-phase infections, such as making sure to use a public DNS. Although the style in coding is different, the purpose of the functions is similar on both attacks.<\/p>\n<p><span class=\"body-subhead-title\">Mitigating the impact of threats on Alibaba ECS workloads<\/span><\/p>\n<p>A performance penalty is one consequence of leaving a cryptojacking campaign running within the Alibaba cloud infrastructure, as the cryptomining process consumes a lot of resources. Moreover, in situations where users set their instances with the auto scaling feature, they can end up with unexpected costs to their subscriptions.<\/p>\n<p>Seeing how easily the compromise can be scaled, attackers can also easily replace the malicious cryptominer with another piece of malware that can potentially drive them more profit or spread to other workloads and endpoints. Subsequent attacks can be done on the projects or infrastructure as a result of how easy it is to infiltrate the environment with high user privileges. We continue to study the malicious activities that can be deployed in the infrastructure. We also list here some best practices for organizations to follow:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Practice a shared responsibility model. Both <a href=\"https:\/\/partners-intl.aliyun.com\/vodafone\/trust-center\">CSPs and users have a responsibility<\/a> to ensure that security configurations of workloads, projects, and environments are safe. Read through the guides, customize, and enable the security layers of workloads and projects accordingly. Enable policies that can best help secure the cloud environment and ensure that it has more than one layer of malware-scanning and vulnerability-detection tools.<br \/><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>Customize the security features of cloud projects and workloads. <\/b>Despite the offered feature of your CSP, avoid running applications under root privilege and using passwords for SSH. Use public key cryptography for access.<\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>Follow the principle of least privilege.<\/b> Limit the number of users with the highest access privileges according to their respective levels of involvement in a project or an application.<\/span><\/li>\n<\/ul>\n<p><span class=\"body-subhead-title\">Indicators of Compromise (IOCs)<\/span><\/p>\n<p>You can find the full list of IOCs and Trend Micro detections&nbsp;<a href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/k\/groups-target-alibaba-ecs-instances-for-cryptojacking\/IOCs-groups-target-alibaba-ecs-instances-cryptojacking.txt\">here<\/a>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p> <!-- \/* Core functionality javascripts, absolute URL to leverage Akamai CDN *\/ --> <!--For Modal-start--> <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p> <!--For Modal-end--> <!-- Go to www.addthis.com\/dashboard to customize your tools --> <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/k\/groups-target-alibaba-ecs-instances-for-cryptojacking.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>We looked at how some malicious groups disable features in Alibaba Cloud ECS instances for illicit mining of Monero. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":43919,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9520,9511,9555,9513,9536],"class_list":["post-43918","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-cloud","tag-trend-micro-research-cyber-threats","tag-trend-micro-research-exploitsvulnerabilities","tag-trend-micro-research-malware","tag-trend-micro-research-privacyrisks"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Groups Target Alibaba ECS Instances for Cryptojacking 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/groups-target-alibaba-ecs-instances-for-cryptojacking\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Groups Target Alibaba ECS Instances for Cryptojacking 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/groups-target-alibaba-ecs-instances-for-cryptojacking\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2021-11-15T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/11\/groups-target-alibaba-ecs-instances-for-cryptojacking.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1199\" \/>\n\t<meta property=\"og:image:height\" content=\"594\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/groups-target-alibaba-ecs-instances-for-cryptojacking\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/groups-target-alibaba-ecs-instances-for-cryptojacking\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Groups Target Alibaba ECS Instances for Cryptojacking\",\"datePublished\":\"2021-11-15T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/groups-target-alibaba-ecs-instances-for-cryptojacking\\\/\"},\"wordCount\":1265,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/groups-target-alibaba-ecs-instances-for-cryptojacking\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/11\\\/groups-target-alibaba-ecs-instances-for-cryptojacking.jpg\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Cloud\",\"Trend Micro Research : Cyber Threats\",\"Trend Micro Research : Exploits&amp;Vulnerabilities\",\"Trend Micro Research : Malware\",\"Trend Micro Research : Privacy&amp;Risks\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/groups-target-alibaba-ecs-instances-for-cryptojacking\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/groups-target-alibaba-ecs-instances-for-cryptojacking\\\/\",\"name\":\"Groups Target Alibaba ECS Instances for Cryptojacking 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/groups-target-alibaba-ecs-instances-for-cryptojacking\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/groups-target-alibaba-ecs-instances-for-cryptojacking\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/11\\\/groups-target-alibaba-ecs-instances-for-cryptojacking.jpg\",\"datePublished\":\"2021-11-15T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/groups-target-alibaba-ecs-instances-for-cryptojacking\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/groups-target-alibaba-ecs-instances-for-cryptojacking\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/groups-target-alibaba-ecs-instances-for-cryptojacking\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/11\\\/groups-target-alibaba-ecs-instances-for-cryptojacking.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/11\\\/groups-target-alibaba-ecs-instances-for-cryptojacking.jpg\",\"width\":1199,\"height\":594},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/groups-target-alibaba-ecs-instances-for-cryptojacking\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Groups Target Alibaba ECS Instances for Cryptojacking\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Groups Target Alibaba ECS Instances for Cryptojacking 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/groups-target-alibaba-ecs-instances-for-cryptojacking\/","og_locale":"en_US","og_type":"article","og_title":"Groups Target Alibaba ECS Instances for Cryptojacking 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/groups-target-alibaba-ecs-instances-for-cryptojacking\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2021-11-15T00:00:00+00:00","og_image":[{"width":1199,"height":594,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/11\/groups-target-alibaba-ecs-instances-for-cryptojacking.jpg","type":"image\/jpeg"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/groups-target-alibaba-ecs-instances-for-cryptojacking\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/groups-target-alibaba-ecs-instances-for-cryptojacking\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Groups Target Alibaba ECS Instances for Cryptojacking","datePublished":"2021-11-15T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/groups-target-alibaba-ecs-instances-for-cryptojacking\/"},"wordCount":1265,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/groups-target-alibaba-ecs-instances-for-cryptojacking\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/11\/groups-target-alibaba-ecs-instances-for-cryptojacking.jpg","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Cloud","Trend Micro Research : Cyber Threats","Trend Micro Research : Exploits&amp;Vulnerabilities","Trend Micro Research : Malware","Trend Micro Research : Privacy&amp;Risks"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/groups-target-alibaba-ecs-instances-for-cryptojacking\/","url":"https:\/\/www.threatshub.org\/blog\/groups-target-alibaba-ecs-instances-for-cryptojacking\/","name":"Groups Target Alibaba ECS Instances for Cryptojacking 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/groups-target-alibaba-ecs-instances-for-cryptojacking\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/groups-target-alibaba-ecs-instances-for-cryptojacking\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/11\/groups-target-alibaba-ecs-instances-for-cryptojacking.jpg","datePublished":"2021-11-15T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/groups-target-alibaba-ecs-instances-for-cryptojacking\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/groups-target-alibaba-ecs-instances-for-cryptojacking\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/groups-target-alibaba-ecs-instances-for-cryptojacking\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/11\/groups-target-alibaba-ecs-instances-for-cryptojacking.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/11\/groups-target-alibaba-ecs-instances-for-cryptojacking.jpg","width":1199,"height":594},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/groups-target-alibaba-ecs-instances-for-cryptojacking\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Groups Target Alibaba ECS Instances for Cryptojacking"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/43918","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=43918"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/43918\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/43919"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=43918"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=43918"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=43918"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}