A sophisticated piece of malware masquerading as a cryptocurrency miner has been uncovered after operating undetected for over five years, compromising more than one million devices across the globe. Cybersecurity researchers at Kaspersky have published a detailed analysis of the threat, dubbed StripedFly, revealing a complex modular framework that targets both Windows and Linux systems with alarming efficiency.
The Exploit Mechanics
StripedFly was initially detected in 2017 but was misclassified as a routine cryptocurrency miner, allowing it to evade serious scrutiny for years. At its core, the malware employs a custom EternalBlue SMBv1 exploit — the same vulnerability originally weaponized by the NSA-linked Equation Group and later leaked to the public. This exploit enables StripedFly to spread silently across networks without requiring user interaction, much like the WannaCry ransomware that devastated systems worldwide in 2017.
What sets StripedFly apart from typical malware is its architectural sophistication. The framework operates as a modular system, with each component responsible for a specific function. A built-in Tor network tunnel provides encrypted communication with command-and-control servers, making traffic analysis nearly impossible. The malware also leverages trusted platforms — including Bitbucket, GitLab, and GitHub — as delivery and update mechanisms, effectively hiding in plain sight within legitimate service traffic.
Persistence is achieved through multiple techniques depending on the operating system. On Windows, StripedFly modifies registry entries and creates scheduled tasks based on PowerShell privilege levels. On Linux, it deploys a different set of persistence methods tailored to the target environment. Encrypted binaries hosting offloadable malware components are stored on these online repositories, with Kaspersky determining that over one million updates have been downloaded since the malware first appeared.
Affected Systems
The scope of StripedFly’s infection is staggering. Both enterprise servers and individual workstations running Windows or Linux have been compromised. The malware’s modular design means that the impact on each infected system depends on which components have been deployed. At minimum, the core framework establishes persistent access and the ability to receive additional payloads. At maximum, the full suite of modules transforms the infected device into a comprehensive surveillance and resource-harvesting platform.
Notably, the Monero mining module — the component that originally led to the malware’s misclassification — represents only one facet of StripedFly’s capabilities. The cryptocurrency mining function appears to serve as a secondary revenue stream or possibly as a decoy to mask the malware’s more sinister activities from security researchers.
The Mitigation Strategy
Addressing a threat of this magnitude requires a multi-layered approach. Organizations and individuals should immediately update their operating systems and apply all available security patches, particularly those addressing the EternalBlue vulnerability (MS17-010). Network monitoring tools should be configured to detect unusual Tor traffic and connections to code repository services that do not align with expected development workflows.
Endpoint detection and response solutions should be updated with the latest threat intelligence signatures from Kaspersky and other vendors who have analyzed StripedFly. Given the malware’s use of legitimate platforms for command-and-control communication, behavioral analysis and anomaly detection tools are essential complements to signature-based detection.
For cryptocurrency users specifically, the discovery of StripedFly underscores the importance of dedicated hardware wallets for storing digital assets. With Bitcoin trading at approximately $33,910 and Ethereum at $1,780, the value locked in cryptocurrency holdings makes them an attractive target for sophisticated malware operators. Hardware wallets keep private keys isolated from potentially compromised operating systems.
Lessons Learned
The StripedFly case study offers several critical takeaways for the cybersecurity community. First, initial classification matters — dismissing a threat as a simple cryptominer allowed a highly advanced persistent threat to operate unchecked for five years. Second, the use of legitimate cloud services for malware distribution represents an evolution in attacker tradecraft that traditional security tools struggle to detect. Third, the inclusion of code sequences resembling NSA-linked tools suggests a level of sophistication typically associated with nation-state actors rather than criminal enterprises.
The malware also exhibits similarities with ThunderCrypt ransomware, sharing a Tor client and modules with identical functionality, suggesting possible connections between previously unrelated threat actors. However, researchers have found no direct evidence linking StripedFly to the Equation Group despite the overlapping code patterns.
User Action Required
If you suspect your system may be infected with StripedFly, take immediate action. Run a full system scan using updated antivirus software, check for unusual scheduled tasks or registry modifications, monitor network traffic for unexpected Tor connections, and consider a complete operating system reinstall if compromise is confirmed. Cryptocurrency holders should transfer funds to hardware wallets and generate new addresses for receiving future transactions. The true purpose of StripedFly remains unclear according to researchers, but its capabilities span espionage, financial theft, and ransomware deployment — making it a threat that demands immediate attention from every computer user, particularly those involved in the cryptocurrency ecosystem.
Disclaimer: This article is for informational purposes only and does not constitute financial or cybersecurity advice. Always consult with qualified professionals for security and investment decisions.
using EternalBlue in 2017 and staying undetected for 5 years is impressive from a technical standpoint. custom SMB exploit while everyone focused on WannaCry
everyone patching eternalblue after wannacry but this thing just kept spreading. custom implementation evaded detection because signature matching was looking for the NSA variant specifically
One million devices. Let that sink in. And it was dismissed as a crypto miner because the cover story was convincing enough for lazy classification.
^ the lazy classification angle is what bothers me most. security vendors dismissed it because cryptojacking was low priority. 5 years of free reign because nobody cared enough to look deeper
the Tor tunnel and custom C2 infrastructure is what separates this from your average cryptojacking malware. this was a state-grade framework
^ agree. Kaspersky did solid work here. modular malware disguised as a miner for half a decade is next level persistence
five years undetected using EternalBlue, the same exploit behind WannaCry. if your org still has unpatched SMBv1 endpoints you are asking for trouble
crypto miners used as cover for actual espionage payloads. StripedFly is a reminder that not every malware campaign is about stealing your wallet