eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.
Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.
In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.
Here’s the latest from our TRU Team…
What did we find?
During mid-May 2025, eSentire's Threat Response Unit (TRU) identified active exploitation of a critical security flaw (CVE-2025-4632) within Samsung MagicINFO 9 Server installations. This vulnerability enables unauthenticated malicious actors to write arbitrary files, including webshells, with system-level privileges.
This can be leveraged to achieve complete Remote Code Execution (RCE) capabilities on affected systems, providing unauthorized initial access to compromised servers. TRU observed the following activity as the attack progressed.
Figure 1 – CVE-2025-4632 exploitation led to process execution with SYSTEM privileges
1. Initial Access: Threat actors leveraged CVE-2025-4632 to gain Remote Code Execution (RCE) capabilities on vulnerable systems.
2. Attack Progression:
Automated commands were deployed to establish persistence
Endpoint security measures were circumvented
AnyDesk remote management tool was installed for remote control
3. Cryptomining Deployment:
A variant of the XMRig cryptocurrency miner was installed
The malware was disguised as "smi2.exe"
The purpose was unauthorized Monero (XMR) mining
4. Technical Methods:
Utilized both PowerShell and batch scripts
Employed sophisticated Windows utility manipulation
Implemented multiple fallback mechanisms to ensure successful payload delivery and execution
In this TRU Positive, we provide a timeline, technical analysis of the attacker's toolset (including decoded scripts), and recommendations on how your organization can detect, and prevent, these threats.
Initial Access
The attack began with the exploitation of a critical vulnerability in Samsung MagicINFO 9 Server (CVE-2025-4632), which allows unauthenticated attackers to execute arbitrary commands on affected systems. This vulnerability is actively exploited in the wild, with public exploit code available, and has a CVSS score of 9.8, highlighting its high severity.
Telemetry shows that the legitimate process tomcat9.exe, associated with the MagicINFO application, was running since May 7, 2025. However, the first signs of malicious activity were observed on May 15, 2025.
The attack sequence was highly automated, with all initial commands executed within a two-minute window, indicating the use of scripted exploitation rather than manual intrusion.
Figure 2 – Process execution timeline
The attack began with a reconnaissance command (included below) to probe the target system for potential existing compromise. The command uses the LOLBin tasklist to search for processes matching smi2.exe - their XMRig cryptomining payload. This initial check suggests a methodical approach, determining whether the system was already infected or actively mining cryptocurrency from a previous breach before proceeding with their attack sequence.
Privilege Escalation and Persistence
The next observed command was a multi-stage PowerShell command executed via cmd.exe, which performed several critical actions:
User Account Creation:
The script created a new local user account “samsungmid” with administrative privileges and a non-expiring password “Samsungmi@1234”. The account was added to both the Administrators (S-1-5-32-544) and Remote Desktop Users (S-1-5-32-555) groups, facilitating privileged and RDP access.
Defender Exclusions:
The attacker added the %TEMP% and %MAGICINFO_PREMIUM_HOME% directories to Microsoft Defender’s exclusion lists, effectively disabling antivirus scanning in directories used for staging and payload execution.
AnyDesk Deployment:
The script downloaded the AnyDesk RMM tool from its official website and installed it silently into the directory C:\Windows\AD and configured it to start with Windows/auto-update.
Execution of AnyDesk:
The attacker then executed AnyDesk, retrieved the installation ID, and configured a new profile with extensive capabilities, including audio input, clipboard, file manager, VPN, and session recording, among others.
The full command, as observed in telemetry, can be seen in Figure 2.
Hands-on Activity
Approximately 1.5 days later, on May 17th, the threat actor(s) returned and executed additional commands to reinforce persistence, create additional privileged accounts, and manipulate local groups. Commands included use of net user and net localgroup to add accounts to “Administrators” and “Remote Desktop Users” groups:
Figure 3 – Hands-on activity
Payload Delivery: Cryptominer Deployment
The attacker utilized both PowerShell (win.ps1) and batch scripts (win.bat) to download and execute XMRig, a Monero crypto-currency miner and dependencies. The scripts additionally employed multiple fallback mechanisms, including PowerShell, certutil, and curl, to ensure successful payload delivery even if some utilities were disabled or blocked.
The scripts were downloaded from 157.230.106[.]100 and crmmr[.]icc[.]me as can be seen below,
The scripts were observed to be heavily parameterized, with environmental variables and multiple fallback mechanisms for payload delivery. This approach demonstrates the attacker’s resilience and adaptability in ensuring the cryptominer was delivered and executed regardless of environmental constraints.
Win.bat and Win.ps1 Analysis
The batch script (win.bat) is responsible for orchestrating the download and execution of the cryptominer payload. It sets up various variables, including the command-and-control (C2) server address, payload names, and download tools. The script checks for the presence of the mining process (smi2.exe) and, if not found, proceeds to download and execute the payload using curl or certutil, depending on what is available on the host.
Key functions of win.bat include:
Setting up variables for flexibility and obfuscation
Checking for an existing mining process to avoid redundant infection
Downloading the miner payload from the attacker’s C2 infrastructure
Executing the miner with appropriate arguments
Ensuring persistence and potential re-execution upon reboot or process termination
The PowerShell script (win.ps1) complements the batch file by providing an alternative method for payload delivery and execution. It is invoked when PowerShell is available and not restricted by policy. The script typically downloads the miner payload using .NET WebClient or other available methods and executes it with specified arguments.
Both scripts are designed to evade detection by:
Using legitimate Windows utilities (certutil, curl, PowerShell)
Adding directories to Defender exclusion lists
Running under the context of newly created privileged accounts
Employing silent and background execution flags
Figure 5 – Process Tree displaying payload downloads
Figure 6 – win.bat script leveraging LOLBINs
Cryptominer (smi2.exe / XMRig) Deployment
The final stage of the attack involved the installation and execution of XMRig, an open-source Monero miner, renamed as smi2.exe to evade detection. The miner was configured to use system resources for illicit cryptocurrency mining, leading to potential performance degradation and increased operational costs for the victim organization.
The attacker’s scripts ensured that the miner would be relaunched if terminated, and that it would not be detected by endpoint security due to the previously configured Defender exclusions.
Figure 7 shows the screenshot of the dropped configuration file. The XMRig configuration file indicates a persistent and stealthy cryptocurrency mining setup targeting Monero.
It defines multiple mining pool endpoints across various ports (80, 88, 443, 8000, and 4443) on two different IP addresses (173.249.48[.]227 and 185.213.26[.]27), suggesting both redundancy and an attempt to evade detection by blending into legitimate traffic patterns via standard and non-standard ports.
The miner is configured to run silently in the background with autosave enabled, and no log file specified, reducing its footprints. This setup is typical of illicit cryptojacking campaigns focused on stealth, performance, and thus profits.
Figure 7 – XMRig configuration file config.json
AnyDesk RMM Tool Abuse
During our investigation, we observed the threat actor deploying and executing AnyDesk on the compromised host, with extensive configuration via command-line arguments to enable advanced remote access features and ensure persistence. AnyDesk is a widely used remote desktop application designed for legitimate remote administration and support.
This configuration enables the attacker to remotely access the system, transfer files, share clipboard content, record sessions, and block user input, among other capabilities. The use of AnyDesk, a legitimate tool commonly found in enterprise environments, helps the threat actor(s) evade detection and maintain persistent access to compromised systems.
Provided guided remediation and support to the customer.
What can you learn from this TRU Positive?
Threat actors continue to leverage known recently released vulnerabilities to gain initial access.
Highlights how threat actors use automated scripts to rapidly deploy tools, create persistence, and bypass security controls within minutes of exploitation.
Highlights how threat actors abuse legitimate, signed binaries and remote management tools (RMM) to establish persistence and evade trust-based security controls in enterprise environments.
Reveals that while attackers deploy EDR evasion techniques including disabling Defender and attempting driver-based bypasses, strong endpoint defenses and monitoring can still block critical stages of an attack.
Recommendations from the Threat Response Unit (TRU):
Keep critical systems up-to-date with security patches and conduct regular vulnerability assessments to identify potential security gaps.
Confirm that Samsung MagicINFO 9 Server is running version 21.1052.0 or later to ensure protection against CVE-2025-4632.
Monitor and restrict the use and installation of remote administration tools.
Monitor for suspicious RDP connections and unauthorized privileged account creation.
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.
Cookies allow us to deliver the best possible experience for you on our website - by continuing to use our website or by closing this box, you are consenting to our use of cookies. Visit our Privacy Policy to learn more.
