Friday, 2:17 AM. The SOC of a Brazilian payment processor triggered. They called Tech86. The on-call analyst said: "cryptominer, we've seen this." He almost let it pass. When we arrived, the first thing that struck us was the discrepancy. What looked like a classic cryptominer was, in fact, two distinct actors operating in the same environment — and the cryptominer was the smoke screen.
The alert that was almost dismissed
XMRig was consuming CPU on three servers. Classic cryptominer signal — the SOC had seen it before. The on-call analyst was ready to mark it "resolved" after standard containment. But when we arrived, the first thing that caught our attention was the discrepancy.
There was outbound traffic to two completely different C2 domains. Not just different domains — different protocols, with distinct temporal patterns. One operated during European business hours, a 9 AM to 6 PM window in the Frankfurt time zone. The other operated during the Brazilian early morning, between 1 AM and 4 AM. That temporal and protocol divergence was the first indicator that we were not dealing with phases of a single campaign, but with separate campaigns. Two actors. Same environment.
The discrepancy that revealed two actors
The first actor had entered 48 hours earlier through a recently disclosed vulnerability. Automated, fast, installed the cryptominer and established persistence with a web shell. The second exploited the same vulnerability hours later, but with a different objective: exfiltration of digital certificates and PIX transaction data.
The separation was invisible without crossing telemetry. The second actor's artifacts looked like "phase two" of the same campaign. Without correlating identity logs, endpoint telemetry, and cloud traffic, the internal team would have no way to distinguish two actors from a single multi-stage attack. That cross-referencing is what revealed the truth: two actors, two motivations, one entry point.
The first actor wanted free compute. The second wanted negotiable assets — certificates that sign transactions and PIX data that is worth money on the black market. The recently disclosed vulnerability was the open door that both found, but what each looked for inside the infrastructure was completely different.
The cryptominer as a smoke screen
The cryptominer functioned as a smoke screen. The internal team focused on containing the mining — after all, it was the most obvious signal. Meanwhile, the second actor operated unnoticed, exfiltrating digital certificates and PIX transaction data.
This is where most incident responses fail. The SOC marks the cryptominer as "resolved," closes the ticket, and the second actor keeps operating. The typical SOC runbook says: identify the miner, isolate the host, remove persistence, close the ticket. That runbook works when there is a single actor. When there are two, containing the first gives the second exactly what it needs: operational silence.
A cryptominer in a financial environment is rarely just a cryptominer. It is the canary. If someone is mining on your payments infrastructure, the right question is not "how do we remove this?" It is: who else came through the same door?
Coordinated evacuation — simultaneous kill-switch
The solution was coordinated evacuation. Contain one actor at a time and the other hides — you think you are clean, and the breach continues. At Tech86, we mapped the entire access surface before acting. Web shells, compromised certificates, persisted accounts, affected segments — everything inventoried before any action.
Then, simultaneous kill-switch: certificate revocation, segment isolation, web shell removal, and total re-credentialing in a 14-minute window. The 14 minutes were divided into three blocks. In the first 4 minutes, we revoked all compromised digital certificates and invalidated active sessions based on them. From minutes 4 to 10, we isolated the affected network segments and removed web shells from the three servers. From minutes 10 to 14, we executed total re-credentialing — passwords, SSH keys, API tokens, service accounts.
Sequential action would have given the second actor time to reconfigure. The short window is what ensures both actors are contained at the same time, with no opportunity to react.
Dwell time and the right question
According to the Mandiant/FireEye M-trends report, the global median dwell time is 14 days. Here, it was 2 days until exfiltration began — significantly below the median. If the SOC had marked the cryptominer as "resolved" without deeper investigation, the second actor would have operated for weeks.
The lesson is clear. A cryptominer in a financial environment is rarely just a cryptominer. It is the canary. The right question is not "how do we remove the miner?" — it is "who else came through the same door?" That shift in perspective is what separates superficial containment from a complete incident response.
Conclusion
We repeat: a cryptominer in a payments environment is the canary, not the threat. When the SOC of a Brazilian payment processor triggered that Friday at 2:17 AM, the instinct was to treat it as a classic cryptominer. What we found were two actors, two objectives, one entry point — and the cryptominer was the smoke screen hiding the exfiltration of certificates and PIX data.
The difference between "resolved" and "actually resolved" lies in crossing identity, endpoint, and cloud telemetry before acting, and in executing a simultaneous kill-switch instead of sequential containment. At Tech86, we help companies respond to complex incidents — before the canary becomes the only thing you hear.