PowerShell code installs XMRig miner When installed and activated, the malicious extensions fetch a PowerShell script from an external source at 'https://asdf11 [.]xyz/' and execute it.

XMRig code was also used in recent attacks, such as the Jenkins miner, and also with malicious campaigns dubbed RubyMiner and WaterMiner, according to an IBM X-Force Research report.

Once it manages to compromise one of the targeted servers, it will deploy the loader script (ld.sh for Linux and ld.ps1 for Windows) that drops both the XMRig miner and Golang-based worm binary.