What is LemonDuck Malware?

The LemonDuck is a monero crypto-mining Malware. A code that causes unwanted, usually dangerous changes to the system. LemonDuck is capable of stealing the credentials, removing the security controls, which spreads through emails, moves laterally and ultimately drops more of the tools for human-operated activity. The malware is also known as a cross-platform threat, which is targeted not only on Windows systems but Linux-based machines as well, according to Microsoft’s blog.

It is also capable of the removal of other malware from a compromised device because it doesn’t want competition on the device.


How does the LemonDuck Malware spread?


The LemonDuck Malware is known to be spread in numerous ways, which is another reason why it is dangerous. The Malware is caused by fake phishing emails, USB devices like flash drives, in addition to various exploits and brute-force attacks. t is known for taking advantage quickly of news, events, or the release of new exploits to run campaigns effectively.


In the last year, the global COVID-19 threat to lure people into its infected mails was taken as an advantage by the Malware. The newly patched Exchange server vulnerabilities to gain access to the outdated systems were exploited by the Malware.



  • Trojans were designed to stealthily infiltrate the victim’s computer.
  • The system remains silent.
  • Thus, no particular symptoms were clearly visible in an infected machine.


Malware Capabilities:

  • Delivers XMR miners for cryptocurrency.
  • Fileless infection techniques are used.
  • The information such as computer name, machine UUID, MAC address, and IP address, etc are stolen and sent to the C&C(Command & Control) server.
  • The Windows Firewall settings are modified to open the port of  65529/TCP on the compromised machines.
  • The 32- and 64-bit versions of malicious DLL components are implanted to removable and network drives.
  • To execute malicious javascript upon reboot shortcut (LNK) files in the startup folder are registered.
  •  PowerShell code is Executed remotely using WMI.
  • Open-source tools such as PowerDump, freerdp, and Mimikatz are used to carry out various actions.
  •  An Installation Tracking C2 module is included which reports the machine profile and status of every executed module to the C2 server. Another Continuous Monitoring the details are sent using the C2 module about the compromised user accounts, machine configuration, user privilege and exploitation or mining payloads status.
  • The fresh copies of malicious scripts at regular intervals are downloaded using the Windows Scheduled Tasks mechanism.


  •  The LemonDuck Malware attack chain :

  •  Details about LemonDuck Malware(Infecting outdated Windows system using eternal blue)


  • How to avoid the installation of malware?

The user is recommended not to open suspicious emails, especially those received from unknown addresses or suspect senders. The uncertain attachments, links or messages must never be opened, as opening them can lead to a high-risk system infection.

Only the official and verified download channels should be used. The products with tools/functions provided by legitimate developers should be activated and updated. Activation of tools and updates from third parties which are Illegal should not be used, as they are known to be used for malware distribution.

It is paramount to have a reputable anti-virus/anti-spyware suite installed to ensure device integrity and user safety. This software must be updated from time to time and used to run regular system scans, to remove all detected/potential threats.

If the system is already infected, running a scan with Combo Cleaner Antivirus is recommended to automatically eliminate infiltrated malware by Windows.


Leave a Reply