The ‚Lemon Duck‘ botnet, used to mine crypto, is expanding rapidly.

Malware is disseminated via fake emails related to the COVID-19 emergency and mainly affects Windows 10 users.

Since the end of August, cybersecurity researchers have seen an increase in the activity of a crypto extraction botnet called „Lemon Duck“, which has been in circulation since December 2018, but has increased significantly in the last six weeks. This means that malware has infiltrated many other hardware in order to undermine the Monero cryptocurrency.

Research conducted by Cisco’s Talos Intelligence Group suggests that ordinary users are hardly aware that they have been affected by Lemon Duck; however, it is likely to be revealed by network administrators.

Crypto mining malware can even cause physical damage to hardware as it constantly uses the machine’s CPU and GPU, generating huge amounts of heat, as well as increasing power consumption.

Malware targets computers running Windows 10, as it exploits vulnerabilities in certain Microsoft operating system services. Malware is disseminated via e-mail with a title linked to COVID-19 and a (infected) file attached. Once the system has been affected, it uses Outlook to automatically send itself to all user contacts.

The emails contain two malicious files: the first is an RTF document called readme.doc, which exploits a remote code execution vulnerability in Microsoft Office. The second file is called, and contains a script that downloads and executes the Lemon Duck loader.

Once installed, this sophisticated software finishes a series of Windows services and downloads other tools for stealth connections to the rest of the network. Lemon Duck has also infected Bitcoin Evolution, but the main victims remain Windows users.

The malware extracts Monero because this crypto has a strong focus on privacy, which makes it very easy to hide. The researchers have not specified who the criminals behind Lemon Duck are, although it appears to be linked to other malware known as „Beapy“, which became widespread in East Asia in June 2019.

Last month, users of the Coinbase wallet were targeted by a new Android malware designed to steal Google Authenticator codes.