H2miner Resurfaces with Lcrypt0rx Ransomware
By Akshat Pradhan | July 16, 2025
Affected Platforms: Linux, Windows, Containers
Impacted Users: Any Organization
Impact: Data Encrypted for Impact, Compute Hijacking, Defacement, Sensitive data stolen.
Severity Level: Critical
The FortiCNAPP team, part of FortiGuard Labs, recently investigated a cluster of virtual private servers (VPS) used for Monero mining. The identified samples are associated with prior H2miner campaigns that we documented in 2020 and have since been updated with new configurations. H2Miner is a Crypto mining botnet that has been active since late 2019.
We also identified a new variant of the Lcryx ransomware, called Lcrypt0rx. Lcryx is a relatively new VBScript-based ransomware strain first observed in November 2024. This family exhibits several unusual characteristics that suggest it may have been generated using AI.
This is the first documented instance of operational overlap between H2miner and Lcryx, suggesting the following possibilities:
- A collaboration between the operators to maximize financial gain. This makes sense as they both target different operating systems.
- Development of Lcrypt0rx by H2miner operators to increase their campaign’s financial gain.
- Reuse of Lcrypt0rx by H2miner operators to conduct mining operations while shifting the blame.
Adversary Infrastructure & Tool Details
The infrastructure hosts a diverse set of samples, including several commercial tools that target multiple operating systems to maximize financial gain from a victim’s environment.
| Tool | Linux | Windows | Containers |
| KinSing | ✔️ |
|
|
| Xmrig miners | ✔️ | ✔️ | ✔️ |
| Lcrypt0rx |
| ✔️ |
|
| Lumma stealer |
| ✔️ |
|
| DCRat |
| ✔️ |
|
| Cobalt Strike |
| ✔️ |
|
| Amadey |
| ✔️ |
|
| RustyStealer |
| ✔️ |
|
| ScreenConnect |
| ✔️ |
|
The infrastructure uses multiple VPS providers for hosting and Command & Control.
