Smoking Out the Rarog Cryptocurrency Mining Trojan

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community Team Member

For the past few months, Unit 42 researchers have investigated a relatively unknown coin mining Trojan that goes by the name ‘Rarog’.


Rarog has been sold on various underground forums since June 2017 and has been used by countless criminals since then. To date, Palo Alto Networks has observed roughly 2,500 unique samples, connecting to 161 different command and control (C2) servers.


Rarog has been seen primarily used to mine the Monero cryptocurrency, however, it has the capability to mine others. It comes equipped with a number of features, including providing mining statistics to users, configuring various processor loads for the running miner, the ability to infect USB devices, and the ability to load additional DLLs on the victim.

Rarog is in line with the overall trends we’ve seen regarding the rapidly increasing use of cryptocurrency miners. Additionally, Rarog provides an affordable way for new criminals to gain entry into this particular type of malware.

To date, we have confirmed over 166,000 Rarog-related infections worldwide. The majority of these occur in the Philippines, Russia, and Indonesia. While a large number of infections have been recorded by various criminals who have used this mining Trojan, we have seen very little recorded profits: the highest profits we have observed amount to roughly US $120.


The Trojan itself is likely named after a “Raróg”, a fire demon that originates in Slavic mythology and is typically represented as a fiery falcon.



Beware the Fiery Falcon !Beware the Fiery Falcon !

 Check out the UNIT 42 blog for all the specifics on this trojan !


Register or Sign-in
Top Liked Authors