PowerShell code installs XMRig miner When installed and activated, the malicious extensions fetch a PowerShell script from an external source at 'https://asdf11 [.]xyz/' and execute it.

XMRig code was also used in recent attacks, such as the Jenkins miner, and also with malicious campaigns dubbed RubyMiner and WaterMiner, according to an IBM X-Force Research report.

The PyLoose script is decoded and decompressed, loading a precompiled XMRig miner directly into the instance's memory using the "memfd" Linux utility, a known fileless malware technique in Linux.