Using gRPC and HTTP\/2 for Cryptominer Deployment: An Unconventional Approach | Trend Micro (US)<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\">\n<link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendmicro\/clientlibs\/trendmicro-core-2\/clientlibs\/header-footer.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/j\/using-grpc-http-2-for-cryptominer-deployment.html\"><br \/>\n<meta property=\"og:title\" content=\"Using gRPC and HTTP\/2 for Cryptominer Deployment: An Unconventional Approach\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/grpc-http-2-cryptominer-deployment-thumbnail.jpg\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Using gRPC and HTTP\/2 for Cryptominer Deployment: An Unconventional Approach\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/grpc-http-2-cryptominer-deployment-thumbnail.jpg\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"50.334688897926\">  <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a>  <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"463429228\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"8.7879581151832\">\n<div class=\"article-details\" role=\"heading\" readability=\"37.104712041885\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Cyber Threats<\/p>\n<p class=\"article-details__description\">In this blog entry, we discuss how malicious actors are exploiting Docker remote API servers via gRPC\/h2c to deploy the cryptominer SRBMiner to facilitate their mining of XRP on Docker hosts.<\/p>\n<p class=\"article-details__author-by\">By: Abdelrahman Esmail, Sunil Bharti <time class=\"article-details__date\">October 22, 2024<\/time> <span>Read time: <\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<div class=\"article-details__icons\">  <\/p>\n<div class=\"a2a_kit a2a_default_style\" data-a2a-icon-color=\"#717172\"> <a class=\"a2a_dd addthis_link\" href=\"https:\/\/www.addtoany.com\/share\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch\/resources\/img\/share-more.svg\" class=\"svg-icon\" alt=\"Share\"> <\/a> <a class=\"a2a_button_print addthis_link\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch\/resources\/img\/printer.svg\" class=\"svg-icon\" alt=\"Print\"> <\/a> <\/div>\n<p>   <\/div>\n<\/div><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-lg-8 col-lg-push-2\"> <\/p>\n<div class=\"richText\" readability=\"39.111929824561\">\n<div readability=\"23.764210526316\">\n<h4>Summary<\/h4>\n<ul>\n<li><span class=\"rte-red-bullet\">Trend Micro researchers recently observed a malicious actor targeting Docker remote API servers to deploy the SRBMiner cryptominer and mine XRP cryptocurrency.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">In this attack, the threat actor used the gRPC protocol over h2c to evade security solutions and execute their cryptomining operations on the Docker host.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">The attacker first checked the availability and version of the Docker API, then proceeds with requests for gRPC\/h2c upgrades and gRPC methods to manipulate Docker functionalities.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Afterwards, the attacker downloaded and deployed the SRBMiner cryptominer from GitHub, and started mining to their cryptocurrency wallet and public IP address.<\/span><\/li>\n<\/ul>\n<p>Recently we observed a malicious actor targeting Docker remote API servers for cryptomining. <a href=\"https:\/\/www.docker.com\/\">Docker<\/a> is a platform that helps developers build, test, deploy, and share applications. One of Docker’s features is its remote API, which allows users to manage containers, images, and volumes remotely. However, this feature also introduces security risks if remote API servers are left misconfigured and exposed to the internet, which could lead to security breaches and exploitation by malicious actors.<\/p>\n<p>In this attack, we observed the malicious actor utilizing gRPC protocol over h2c (clear text HTTP\/2 protocol) to evade security solutions and deploy the <a href=\"https:\/\/www.srbminer.com\/\" target=\"_blank\" rel=\"noopener\">SRBMiner<\/a> cryptominer on the Docker host to mine XRP, a cryptocurrency developed by the US-based Ripple Labs. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"9d149c\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/j\/using-grpc-and-http-2-for-cryptominer-deployment--an-unconventional-approach\/grpc-http-2-cryptominer-deployment-Fig01.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/j\/using-grpc-and-http-2-for-cryptominer-deployment--an-unconventional-approach\/grpc-http-2-cryptominer-deployment-Fig01.png\" alt=\"Figure 1. Attack chain \"> <\/a> <\/p>\n<p><figcaption>Figure 1. Attack chain <\/figcaption><\/p>\n<\/figure><\/div>\n<div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>As shown in the attack chain (Figure 1), the attacker starts the discovery process by checking the Docker API\u2019s availability and version (Figures 2 and 3). The attacker then sends a request for a gRPC\/h2c upgrade (Figure 4).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"465e88\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/j\/using-grpc-and-http-2-for-cryptominer-deployment--an-unconventional-approach\/grpc-http-2-cryptominer-deployment-Fig02.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/j\/using-grpc-and-http-2-for-cryptominer-deployment--an-unconventional-approach\/grpc-http-2-cryptominer-deployment-Fig02.png\" alt=\"Figure 2. Ping request\"> <\/a> <\/p>\n<p><figcaption>Figure 2. Ping request<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"fe458a\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/j\/using-grpc-and-http-2-for-cryptominer-deployment--an-unconventional-approach\/grpc-http-2-cryptominer-deployment-Fig03.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/j\/using-grpc-and-http-2-for-cryptominer-deployment--an-unconventional-approach\/grpc-http-2-cryptominer-deployment-Fig03.png\" alt=\"Figure 3. Version check request\"> <\/a> <\/p>\n<p><figcaption>Figure 3. Version check request<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"e79fba\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/j\/using-grpc-and-http-2-for-cryptominer-deployment--an-unconventional-approach\/grpc-http-2-cryptominer-deployment-Fig04.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/j\/using-grpc-and-http-2-for-cryptominer-deployment--an-unconventional-approach\/grpc-http-2-cryptominer-deployment-Fig04.png\" alt=\"Figure 4. Protocol upgrade request\"> <\/a> <\/p>\n<p><figcaption>Figure 4. Protocol upgrade request<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"36.5\">\n<div readability=\"18\">\n<p>Finally, the attacker checks for gRPC methods (Figure 5). These methods are designed to facilitate various operations within Docker, including health checks, file synchronization, authentication, secrets management, and SSH forwarding. They enable clients to perform tasks that are essential for managing and operating Docker environments. As shown in Table 1, each method serves a specific purpose, contributing to the overall functionality and security of Docker-based workflows. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"4ee996\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/j\/using-grpc-and-http-2-for-cryptominer-deployment--an-unconventional-approach\/grpc-http-2-cryptominer-deployment-Fig05.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/j\/using-grpc-and-http-2-for-cryptominer-deployment--an-unconventional-approach\/grpc-http-2-cryptominer-deployment-Fig05.png\" alt=\"Figure 5. Protocol upgrade request with checking gRPC methods\"> <\/a> <\/p>\n<p><figcaption>Figure 5. Protocol upgrade request with checking gRPC methods<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\" readability=\"6\"> <center readability=\"2\"><\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody readability=\"39.5\">\n<tr>\n<td width=\"208\" valign=\"top\"><b>Method<\/b><\/td>\n<td width=\"208\" valign=\"top\"><b>Purpose<\/b><\/td>\n<td width=\"208\" valign=\"top\"><b>Functionality<\/b><\/td>\n<\/tr>\n<tr readability=\"11\">\n<td width=\"208\" valign=\"top\">\/grpc.health.v1.Health\/Check <\/td>\n<td width=\"208\" valign=\"top\">Typically used to perform health checks on services. <\/td>\n<td width=\"208\" valign=\"top\">Allows a client to query the health status of a service. The service responds with its current health status, which can be SERVING, NOT_SERVING, or other statuses defined by the gRPC health protocol. <\/td>\n<\/tr>\n<tr readability=\"9\">\n<td width=\"208\" valign=\"top\">\/grpc.health.v1.Health\/Watch<\/td>\n<td width=\"208\" valign=\"top\">Similar to the Check method, but provides a continuous stream of health status updates. <\/td>\n<td width=\"208\" valign=\"top\">The client subscribes to health status updates, and the server sends updates whenever the health status changes. <\/td>\n<\/tr>\n<tr readability=\"7\">\n<td width=\"208\" valign=\"top\">\/moby.filesync.v1.FileSync\/DiffCopy<\/td>\n<td width=\"208\" valign=\"top\">Synchronizes files between the host and a Docker container.<\/td>\n<td width=\"208\" valign=\"top\">Compares files between the source and destination and copies only the differences to minimize data transfer. <\/td>\n<\/tr>\n<tr readability=\"7\">\n<td width=\"208\" valign=\"top\">\/moby.filesync.v1.FileSync\/TarStream<\/td>\n<td width=\"208\" valign=\"top\">Transfers files as a tar stream. <\/td>\n<td width=\"208\" valign=\"top\">Streams files in the tar format, which is a common archive format in Unix-like systems. <\/td>\n<\/tr>\n<tr readability=\"8\">\n<td width=\"208\" valign=\"top\">\/moby.filesync.v1.Auth\/Credentials <\/td>\n<td width=\"208\" valign=\"top\">Manages authentication credentials. <\/td>\n<td width=\"208\" valign=\"top\">Likely handles storing, retrieving, or validating credentials used for authentication. <\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"208\" valign=\"top\">\/moby.filesync.v1.Auth\/FetchToken <\/td>\n<td width=\"208\" valign=\"top\">Retrieves an authentication token. <\/td>\n<td width=\"208\" valign=\"top\">Fetches a token that can be used for authenticating subsequent requests. <\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"208\" valign=\"top\">\/moby.filesync.v1.Auth\/GetTokenAuthority <\/td>\n<td width=\"208\" valign=\"top\">Retrieves information about the token authority. <\/td>\n<td width=\"208\" valign=\"top\">Provides details about the authority that issues authentication tokens. <\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"208\" valign=\"top\">\/moby.filesync.v1.Auth\/VerifyTokenAuthority <\/td>\n<td width=\"208\" valign=\"top\">Verifies the token authority.<\/td>\n<td width=\"208\" valign=\"top\">Checks the legitimacy and trustworthiness of the token authority. <\/td>\n<\/tr>\n<tr readability=\"7\">\n<td width=\"208\" valign=\"top\">\/moby.buildkit.secrets.v1.Secrets\/GetSecret<\/td>\n<td width=\"208\" valign=\"top\">Retrieves a secret.<\/td>\n<td width=\"208\" valign=\"top\">Fetches a secret, such as an API key, password, or other sensitive information.<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"208\" valign=\"top\">\/moby.sshforward.v1.SSH\/CheckAgent<\/td>\n<td width=\"208\" valign=\"top\">Checks the status of an SSH agent. <\/td>\n<td width=\"208\" valign=\"top\">Likely verifies whether an SSH agent is running and available for forwarding. <\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"208\" valign=\"top\">\/moby.sshforward.v1.SSH\/ForwardAgent<\/td>\n<td width=\"208\" valign=\"top\">Forwards an SSH agent. <\/td>\n<td width=\"208\" valign=\"top\">Sets up SSH agent forwarding, allowing the client to use the SSH keys stored on the host for authentication with remote systems. <\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span class=\"rte-icon-component-text\">Table 1. Purposes and functionalities of gRPC methods<\/span><\/p>\n<p><\/center> <\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p>The attacker then sends a connection upgrade request to h2c protocol. Once the connection upgrade request has been processed by the server with all the required parameters using gRPC requests, the attacker sends the <i>\/moby.buildkit.v1.Control\/Solve<\/i> gRPC request to build the Docker image-based <i>Dockerfile.srb<\/i> (Figure 6), which contains Docker container building details based on the legitimate Docker image, <i>debian:bookworm-slim<\/i> (FIgure 7).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"103e12\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/j\/using-grpc-and-http-2-for-cryptominer-deployment--an-unconventional-approach\/grpc-http-2-cryptominer-deployment-Fig06.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/j\/using-grpc-and-http-2-for-cryptominer-deployment--an-unconventional-approach\/grpc-http-2-cryptominer-deployment-Fig06.png\" alt=\"Figure 6. The gRPC solve method to set Docker file name and the mode for resolving the image\"> <\/a> <\/p>\n<p><figcaption>Figure 6. The gRPC solve method to set Docker file name and the mode for resolving the image<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"547511\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/j\/using-grpc-and-http-2-for-cryptominer-deployment--an-unconventional-approach\/grpc-http-2-cryptominer-deployment-Fig07.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/j\/using-grpc-and-http-2-for-cryptominer-deployment--an-unconventional-approach\/grpc-http-2-cryptominer-deployment-Fig07.png\" alt=\"Figure 7. The gRPC status\/response method to check container building details\"> <\/a> <\/p>\n<p><figcaption>Figure 7. The gRPC status\/response method to check container building details<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"35\">\n<div readability=\"15\">\n<p>In the <i>Dockerfile.srb<\/i> details (Figure 8), we observed that the threat actor downloads and unzips the SRBMiner from GitHub into the <i>\/tmp\/.1<\/i> directory, then deploys the cryptominer in the <i>\/usr\/sbin<\/i> directory. Afterwards, the threat actor starts the mining process; it provides their cryptocurrency wallet address, which starts with \u201cr\u201d (Ripple wallet IDs commonly start with this letter), and the cryptominer\u2019s public IP address (with the periods replaced with underscores). <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"2d8143\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/j\/using-grpc-and-http-2-for-cryptominer-deployment--an-unconventional-approach\/grpc-http-2-cryptominer-deployment-Fig08.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/j\/using-grpc-and-http-2-for-cryptominer-deployment--an-unconventional-approach\/grpc-http-2-cryptominer-deployment-Fig08.png\" alt=\"Figure 8. Container build status\"> <\/a> <\/p>\n<p><figcaption>Figure 8. Container build status<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"34.272827282728\">\n<div readability=\"17.599559955996\">\n<h4>Conclusion<b><\/b><\/h4>\n<p>Containerization platforms like Docker are instrumental in modern-day application development, but their features can become security liabilities if not meticulously protected. As demonstrated in this attack, cybercriminals can exploit features like remote management APIs to their advantage: The malicious actor in this case leveraged the gRPC protocol over H2C, effectively bypassing several security layers to deploy the SRBMiner cryptominer on the Docker host and mine XRP cryptocurrency illicitly.<\/p>\n<p>To safeguard development environments from attacks targeting containers and hosts, we recommend that organizations relying on Docker adopt the following best practices:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Containers and APIs should always be properly configured to minimize the chance of exploitative attacks. Docker provides <a href=\"https:\/\/docs.docker.com\/develop\/dev-best-practices\/\" target=\"_blank\" rel=\"noopener\">guidelines<\/a> on how their users can strengthen their security.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Running containers should not be run with root privileges, but rather as application users instead.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Containers should be configured so that access is granted only to trusted sources, such as the internal network.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Organizations should adhere to recommended best practices. For example, Docker provides <a href=\"https:\/\/docs.docker.com\/engine\/security\/security\/\" target=\"_blank\" rel=\"noopener\">a comprehensive list of best practices<\/a> and has built-in security features users can follow to improve the security of their cloud environments.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Security audits should be performed at regular intervals to check for any suspicious containers and images.<\/span><\/li>\n<\/ul>\n<p>Trend Micro also offers the following security solutions for safeguarding Docker servers:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"42.072307692308\">\n<div readability=\"33.840769230769\">\n<h4>Trend Micro Vision One Threat Intelligence <\/h4>\n<p>To stay ahead of evolving threats, Trend Micro customers can access a range of Intelligence Reports and Threat Insights within Trend Micro Vision One. Threat Insights helps customers stay ahead of cyber threats before they happen and better prepared for emerging threats. It offers comprehensive information on threat actors, their malicious activities, and the techniques they use. By leveraging this intelligence, customers can take proactive steps to protect their environments, mitigate risks, and respond effectively to threats. <\/p>\n<p><b> Trend Micro Vision One Intelligence Reports App [IOC Sweeping]<\/b><\/p>\n<p><i>Using gRPC and HTTP\/2 for Crypto Miner Deployment<\/i><\/p>\n<p><b>Trend Micro Vision One Threat Insights App<\/b><\/p>\n<p>Emerging Threats: <a href=\"https:\/\/portal.xdr.trendmicro.com\/index.html#\/app\/ti\/intelligence_insights?name=Using%20gRPC%20and%20HTTP\/2%20for%20Cryptominer%20Deployment:%20An%20Unconventional%20Approach\" target=\"_blank\" rel=\"noopener\">Using gRPC and HTTP\/2 for Cryptominer Deployment: An Unconventional Approach<\/a><\/p>\n<h4>Hunting Queries <\/h4>\n<p><b>Trend Micro Vision One Search App<\/b><\/p>\n<p>Trend Micro Vision One Customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post with data in their environment.\u202f\u202f\u202f<\/p>\n<p>SBRMiner C&C Connections: <\/p>\n<p><span class=\"blockquote\">eventId:3 AND (“src:59.93.45.16*” OR “dst:59.93.45.16*” OR “src:167.71.194.227:3333” OR “dst:167.71.194.227:3333”)<\/span><\/p>\n<p>More hunting queries are available for Vision One customers with\u202f<a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/one-platform\/threat-insights.html\" title=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/one-platform\/threat-insights.html\" target=\"_blank\" rel=\"noopener\">Threat Insights Entitlement enabled<\/a>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<h4>Indicators of Compromise (IOCs)<b><\/b><\/h4>\n<p><b>Hashes<\/b><\/p>\n<p><center><\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody readability=\"2\">\n<tr>\n<td width=\"312\" valign=\"top\"><b>SHA256<\/b><\/td>\n<td width=\"312\" valign=\"top\"><b>Detection<\/b><\/td>\n<\/tr>\n<tr readability=\"4\">\n<td width=\"312\" valign=\"top\">0d4eb69b551cb538a9a4c46f7b57906a47bcabb8ef8a5d245584fbba09fc5084 <\/td>\n<td width=\"312\" valign=\"top\">PUA.Linux.SRBMine.A\/277100 <\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><\/center><\/p>\n<p><b>URLs<\/b><\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">https:\/\/github[.]com\/doktor83\/SRBMiner-Multi\/releases\/download\/2.5.8\/SRBMiner-Multi-2-5-8-Linux.tar.g<\/span><\/li>\n<li><span class=\"rte-red-bullet\">167[.]71[.]194[.]227:3333<\/span><\/li>\n<li><span class=\"rte-red-bullet\">59[.]93[.]45[.]16<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<h4>MITRE ATT&CK Techniques<b><\/b><\/h4>\n<p><center><\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody readability=\"3\">\n<tr>\n<td width=\"208\" valign=\"top\"><b>Tactic<\/b><\/td>\n<td width=\"208\" valign=\"top\"><b>Technique<\/b><\/td>\n<td width=\"208\" valign=\"top\"><b>Technique ID<\/b><\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"208\" rowspan=\"2\" valign=\"top\">Initial Access<\/td>\n<td width=\"208\" valign=\"top\">Exploit Public-Facing Application<\/td>\n<td width=\"208\" valign=\"top\">T1190<\/td>\n<\/tr>\n<tr>\n<td width=\"208\" valign=\"top\">External Remote Services<\/td>\n<td width=\"208\" valign=\"top\">T1133<\/td>\n<\/tr>\n<tr>\n<td width=\"208\" valign=\"top\">Execution<\/td>\n<td width=\"208\" valign=\"top\">Deploy Container<\/td>\n<td width=\"208\" valign=\"top\">T1610<\/td>\n<\/tr>\n<tr>\n<td width=\"208\" rowspan=\"2\" valign=\"top\">Command and Control<\/td>\n<td width=\"208\" valign=\"top\">Ingress Tool Transfer<\/td>\n<td width=\"208\" valign=\"top\">T1105<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"208\" valign=\"top\">Application Layer Protocol: Web Protocols<\/td>\n<td width=\"208\" valign=\"top\">T1071.001<\/td>\n<\/tr>\n<tr>\n<td width=\"208\" valign=\"top\">Impact<\/td>\n<td width=\"208\" valign=\"top\">Resource Hijacking<\/td>\n<td width=\"208\" valign=\"top\">T1496<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"208\" valign=\"top\">Discovery<\/td>\n<td width=\"208\" valign=\"top\">System Network Configuration Discovery: Internet Connection Discovery<\/td>\n<td width=\"208\" valign=\"top\">T1016.001<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><\/center> <\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p>   <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p>  <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/j\/using-grpc-http-2-for-cryptominer-deployment.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this blog entry, we discuss how malicious actors are exploiting Docker remote API servers via gRPC\/h2c to deploy the cryptominer SRBMiner to facilitate their mining of XRP on Docker hosts. Read More HERE…<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9511,9534],"class_list":["post-57472","post","type-post","status-publish","format-standard","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-cyber-threats","tag-trend-micro-research-latest-news"],"yoast_head":"\n<title>Using gRPC and HTTP\/2 for Cryptominer Deployment: An Unconventional Approach 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/using-grpc-and-http-2-for-cryptominer-deployment-an-unconventional-approach\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Using gRPC and HTTP\/2 for Cryptominer Deployment: An Unconventional Approach 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/using-grpc-and-http-2-for-cryptominer-deployment-an-unconventional-approach\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2024-10-22T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/grpc-http-2-cryptominer-deployment-thumbnail:Large?qlt=80\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/using-grpc-and-http-2-for-cryptominer-deployment-an-unconventional-approach\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/using-grpc-and-http-2-for-cryptominer-deployment-an-unconventional-approach\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Using gRPC and HTTP\\\/2 for Cryptominer Deployment: An Unconventional Approach\",\"datePublished\":\"2024-10-22T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/using-grpc-and-http-2-for-cryptominer-deployment-an-unconventional-approach\\\/\"},\"wordCount\":1407,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/using-grpc-and-http-2-for-cryptominer-deployment-an-unconventional-approach\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/grpc-http-2-cryptominer-deployment-thumbnail:Large?qlt=80\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Cyber Threats\",\"Trend Micro Research : Latest News\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/using-grpc-and-http-2-for-cryptominer-deployment-an-unconventional-approach\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/using-grpc-and-http-2-for-cryptominer-deployment-an-unconventional-approach\\\/\",\"name\":\"Using gRPC and HTTP\\\/2 for Cryptominer Deployment: An Unconventional Approach 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/using-grpc-and-http-2-for-cryptominer-deployment-an-unconventional-approach\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/using-grpc-and-http-2-for-cryptominer-deployment-an-unconventional-approach\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/grpc-http-2-cryptominer-deployment-thumbnail:Large?qlt=80\",\"datePublished\":\"2024-10-22T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/using-grpc-and-http-2-for-cryptominer-deployment-an-unconventional-approach\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/using-grpc-and-http-2-for-cryptominer-deployment-an-unconventional-approach\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/using-grpc-and-http-2-for-cryptominer-deployment-an-unconventional-approach\\\/#primaryimage\",\"url\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/grpc-http-2-cryptominer-deployment-thumbnail:Large?qlt=80\",\"contentUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/grpc-http-2-cryptominer-deployment-thumbnail:Large?qlt=80\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/using-grpc-and-http-2-for-cryptominer-deployment-an-unconventional-approach\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Using gRPC and HTTP\\\/2 for Cryptominer Deployment: An Unconventional Approach\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n","yoast_head_json":{"title":"Using gRPC and HTTP\/2 for Cryptominer Deployment: An Unconventional Approach 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/using-grpc-and-http-2-for-cryptominer-deployment-an-unconventional-approach\/","og_locale":"en_US","og_type":"article","og_title":"Using gRPC and HTTP\/2 for Cryptominer Deployment: An Unconventional Approach 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/using-grpc-and-http-2-for-cryptominer-deployment-an-unconventional-approach\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2024-10-22T00:00:00+00:00","og_image":[{"url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/grpc-http-2-cryptominer-deployment-thumbnail:Large?qlt=80","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/using-grpc-and-http-2-for-cryptominer-deployment-an-unconventional-approach\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/using-grpc-and-http-2-for-cryptominer-deployment-an-unconventional-approach\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Using gRPC and HTTP\/2 for Cryptominer Deployment: An Unconventional Approach","datePublished":"2024-10-22T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/using-grpc-and-http-2-for-cryptominer-deployment-an-unconventional-approach\/"},"wordCount":1407,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/using-grpc-and-http-2-for-cryptominer-deployment-an-unconventional-approach\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/grpc-http-2-cryptominer-deployment-thumbnail:Large?qlt=80","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Cyber Threats","Trend Micro Research : Latest News"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/using-grpc-and-http-2-for-cryptominer-deployment-an-unconventional-approach\/","url":"https:\/\/www.threatshub.org\/blog\/using-grpc-and-http-2-for-cryptominer-deployment-an-unconventional-approach\/","name":"Using gRPC and HTTP\/2 for Cryptominer Deployment: An Unconventional Approach 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/using-grpc-and-http-2-for-cryptominer-deployment-an-unconventional-approach\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/using-grpc-and-http-2-for-cryptominer-deployment-an-unconventional-approach\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/grpc-http-2-cryptominer-deployment-thumbnail:Large?qlt=80","datePublished":"2024-10-22T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/using-grpc-and-http-2-for-cryptominer-deployment-an-unconventional-approach\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/using-grpc-and-http-2-for-cryptominer-deployment-an-unconventional-approach\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/using-grpc-and-http-2-for-cryptominer-deployment-an-unconventional-approach\/#primaryimage","url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/grpc-http-2-cryptominer-deployment-thumbnail:Large?qlt=80","contentUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/grpc-http-2-cryptominer-deployment-thumbnail:Large?qlt=80"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/using-grpc-and-http-2-for-cryptominer-deployment-an-unconventional-approach\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Using gRPC and HTTP\/2 for Cryptominer Deployment: An Unconventional Approach"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/57472","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=57472"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/57472\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=57472"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=57472"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=57472"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":57472,"date":"2024-10-22T00:00:00","date_gmt":"2024-10-22T00:00:00","guid":{"rendered":"urn:uuid:c8c5f712-a362-e7a1-0574-c3396854d0dd"},"modified":"2024-10-22T00:00:00","modified_gmt":"2024-10-22T00:00:00","slug":"using-grpc-and-http-2-for-cryptominer-deployment-an-unconventional-approach","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/using-grpc-and-http-2-for-cryptominer-deployment-an-unconventional-approach\/","title":{"rendered":"Using gRPC and HTTP\/2 for Cryptominer Deployment: An Unconventional Approach"},"content":{"rendered":"