Pular para o conteúdo principal
Close
Security

Dual Attacker: When a Cryptominer is a Smoke Screen for PIX Exfiltration

Gabriel Ferraresi· CEO | Tech86July 1, 20264 min
securityincident-responsecryptominerdigital-forensicsdual-attacker

Friday, 2:17 AM. The SOC of a Brazilian payment processor triggered. They called Tech86. The on-call analyst said: "cryptominer, we've seen this." He almost let it pass. When we arrived, the first thing that struck us was the discrepancy. What looked like a classic cryptominer was, in fact, two distinct actors operating in the same environment — and the cryptominer was the smoke screen.

The alert that was almost dismissed

XMRig was consuming CPU on three servers. Classic cryptominer signal — the SOC had seen it before. The on-call analyst was ready to mark it "resolved" after standard containment. But when we arrived, the first thing that caught our attention was the discrepancy.

There was outbound traffic to two completely different C2 domains. Not just different domains — different protocols, with distinct temporal patterns. One operated during European business hours, a 9 AM to 6 PM window in the Frankfurt time zone. The other operated during the Brazilian early morning, between 1 AM and 4 AM. That temporal and protocol divergence was the first indicator that we were not dealing with phases of a single campaign, but with separate campaigns. Two actors. Same environment.

The discrepancy that revealed two actors

The first actor had entered 48 hours earlier through a recently disclosed vulnerability. Automated, fast, installed the cryptominer and established persistence with a web shell. The second exploited the same vulnerability hours later, but with a different objective: exfiltration of digital certificates and PIX transaction data.

The separation was invisible without crossing telemetry. The second actor's artifacts looked like "phase two" of the same campaign. Without correlating identity logs, endpoint telemetry, and cloud traffic, the internal team would have no way to distinguish two actors from a single multi-stage attack. That cross-referencing is what revealed the truth: two actors, two motivations, one entry point.

The first actor wanted free compute. The second wanted negotiable assets — certificates that sign transactions and PIX data that is worth money on the black market. The recently disclosed vulnerability was the open door that both found, but what each looked for inside the infrastructure was completely different.

The cryptominer as a smoke screen

The cryptominer functioned as a smoke screen. The internal team focused on containing the mining — after all, it was the most obvious signal. Meanwhile, the second actor operated unnoticed, exfiltrating digital certificates and PIX transaction data.

This is where most incident responses fail. The SOC marks the cryptominer as "resolved," closes the ticket, and the second actor keeps operating. The typical SOC runbook says: identify the miner, isolate the host, remove persistence, close the ticket. That runbook works when there is a single actor. When there are two, containing the first gives the second exactly what it needs: operational silence.

A cryptominer in a financial environment is rarely just a cryptominer. It is the canary. If someone is mining on your payments infrastructure, the right question is not "how do we remove this?" It is: who else came through the same door?

Coordinated evacuation — simultaneous kill-switch

The solution was coordinated evacuation. Contain one actor at a time and the other hides — you think you are clean, and the breach continues. At Tech86, we mapped the entire access surface before acting. Web shells, compromised certificates, persisted accounts, affected segments — everything inventoried before any action.

Then, simultaneous kill-switch: certificate revocation, segment isolation, web shell removal, and total re-credentialing in a 14-minute window. The 14 minutes were divided into three blocks. In the first 4 minutes, we revoked all compromised digital certificates and invalidated active sessions based on them. From minutes 4 to 10, we isolated the affected network segments and removed web shells from the three servers. From minutes 10 to 14, we executed total re-credentialing — passwords, SSH keys, API tokens, service accounts.

Sequential action would have given the second actor time to reconfigure. The short window is what ensures both actors are contained at the same time, with no opportunity to react.

Dwell time and the right question

According to the Mandiant/FireEye M-trends report, the global median dwell time is 14 days. Here, it was 2 days until exfiltration began — significantly below the median. If the SOC had marked the cryptominer as "resolved" without deeper investigation, the second actor would have operated for weeks.

The lesson is clear. A cryptominer in a financial environment is rarely just a cryptominer. It is the canary. The right question is not "how do we remove the miner?" — it is "who else came through the same door?" That shift in perspective is what separates superficial containment from a complete incident response.

Conclusion

We repeat: a cryptominer in a payments environment is the canary, not the threat. When the SOC of a Brazilian payment processor triggered that Friday at 2:17 AM, the instinct was to treat it as a classic cryptominer. What we found were two actors, two objectives, one entry point — and the cryptominer was the smoke screen hiding the exfiltration of certificates and PIX data.

The difference between "resolved" and "actually resolved" lies in crossing identity, endpoint, and cloud telemetry before acting, and in executing a simultaneous kill-switch instead of sequential containment. At Tech86, we help companies respond to complex incidents — before the canary becomes the only thing you hear.

Need expert guidance?

Schedule a consultation with our specialists.

Incident Response and Digital Forensics

Frequently Asked Questions

A dual-attacker scenario occurs when two distinct threat actors exploit the same vulnerability in the same environment, with different objectives. It is dangerous because containing one actor can mask the presence of the other. The second actor's artifacts look like "phase two" of the same campaign, and without crossing identity, endpoint, and cloud telemetry, the separation is invisible.

A cryptominer consumes CPU and generates obvious SOC alerts, causing the internal team to focus on containing the mining. Meanwhile, a second actor operates unnoticed, exfiltrating high-value data — such as digital certificates and PIX transactions. The cryptominer functions as a canary: if someone is mining on your payments infrastructure, the right question is not "how do we remove this?" but "who else came through the same door?".

According to the Mandiant/FireEye M-trends report, the global median dwell time is 14 days. In this case, it was 2 days until exfiltration began — significantly below the median. If the SOC had marked the cryptominer as "resolved" without deeper investigation, the second actor would have operated for weeks.

Containing one actor at a time allows the other to hide. You think you are clean, and the breach continues. The correct solution is coordinated evacuation: map the entire access surface before acting and execute a simultaneous kill-switch — certificate revocation, segment isolation, web shell removal, and total re-credentialing in a single window.

You need to cross three sources: identity telemetry (access logs, accounts, sessions), endpoint telemetry (EDR, processes, persistence), and cloud telemetry (outbound traffic, APIs, certificates). Without this cross-referencing, two actors operating on distinct protocols and schedules look like a single campaign.

Blog — Get in Touch

Have a question about our articles or services? Our team is ready to help.

Schedule a Meeting

Book a time slot.

Schedule Now

Email

Send us a message.

[email protected]

WhatsApp

Quick conversation.

Address

Avenida Paulista, 1636 - São Paulo - SP - 01310-200

Tech86 Specialist

Online now

Hello! How can we help scale your business today?

Tech86 Engineering

We Value Your Privacy

We use cookies and similar technologies to optimize your experience, analyze site traffic, and personalize content. By clicking "Accept All", you agree to the use of all cookies. Read our Privacy Policy.