Tangerine Turkey mines cryptocurrency in global campaign

Editors’ note: This blog was updated on January 30, 2025 to include additional technical details and indicators of compromise. 

Tangerine Turkey is Red Canary’s name for a Visual Basic Script (VBscript) worm that delivers a cryptomining payload. We first observed this activity in November 2024 (hence the choice of “turkey” for our typical color + bird naming convention). In December 2024, Tangerine Turkey cracked our top 10 threat rankings at #8, which we cover in our January 2025 Intelligence Insights. Our research into the activity cluster revealed a connection to a widespread—albeit relatively under-reported—cryptocurrency mining campaign that is still going strong, possibly with new malware variants.

What is Tangerine Turkey?

Delivered via USB, the Tangerine Turkey worm uses a printui dynamic link library (DLL) hijack to deliver cryptomining malware. The Red Canary Intelligence team has observed the following execution chain:

• A VBscript file executed from a folder named rootdir on a USB; the filename begins with an x followed by six random digits, for example: WScript.exe "D:\rootdir\x644291.vbs"
• A BAT file with similar naming convention to the VBscript file, executed via a CMD child process from wscript, for example: cmd.exe /c "D:\rootdir\x138621.bat"
• Creation of a folder named C:\Windows \System32 (note the trailing space after \Windows \)
• Use of xcopy to move a copy of the legitimate printui.exe binary from the legitimate C:\Windows\System32 to the newly created malicious C:\Windows \System32 directory
• DAT and printui.dll files created in C:\Windows \System32 to be used for DLL side-loading

Connecting Tangerine Turkey to a world wide campaign

The details above are as far in the execution chain as we have directly observed. In our initial research we found a reference to malware matching Tangerine Turkey from February 2024. A post on a Turkish-language tech forum documented some of the above activity after inserting a USB they’d used in a copier at a “stationary store.” Then in early December 2024, Quick Heal published an article describing very similar activity they called “Zephyr Miner” that ultimately resulted in Zephyr cryptocurrency mining—a stablecoin cryptocurrency created in 2023. Quick Heal describes four variants in their article based on the initial execution method. The first is via VBscript, which is consistent with what we have observed. We have not seen the other three variants they describe: BAT; PowerShell; and PE format execution with an initial EXE or DLL.

XMRig payloads

As we continued our research, we noticed that VirusTotal samples of Tangerine Turkey binaries inconsistently—but not infrequently—returned results matching XMRig rules on VT and in public sandboxes. After digging into samples like this one—with malware analysis from our own Tony Lambert—it appears that at least some Tangerine Turkey printui.dll files eventually drop XMRig to use as their mining software.

XMRig requires operators to provide configuration details, and in our studied samples we didn’t see obvious config files created or dropped in Tangerine Turkey’s behavior chain. As we researched the different pieces of printui.dll, we pivoted to netconns and started looking up details on different domains and IP addresses. The Google results in the details for rootunvdwl[.]com caught our eye, specifically a report from the Republic of Azerbaijan CERT’s Malware Research Lab.

Possible overlaps with the Universal Mining operation

Azerbaijan’s CERT previously uncovered and shared details of a large-scale international cryptocurrency mining operation that they called “Universal Mining”  in October 2024. The cryptomining operation is spread by USB drives and uses VBscript files for the initial execution phase followed by behavior that strongly overlaps—and in many aspects is identical to—Tangerine Turkey. During their research, they discovered that the malware writes a legitimate PostgreSQL client library to disk as a DLL.

Here is an excerpt translated from the report with more details:

“The interface, written in the C programming language, allows the programmer to connect to and manage a PostgreSQL database located on a remote server through this library. The malware uses a database to store information about the infected computer and used to obtain the information needed to configure itself (the miner). During the analysis process, we were given the Pqconnectdb function used by the malware. This allowed us to obtain extremely valuable information. After obtaining the encrypted PostgreSQL server login credentials, we were able to connect to the malware’s database and extract critical information.”

The information they extracted included victim identification details that helped them scope the scale of the operation. In the report summary on the CERT’s blog, as of October 21, 2024, the Universal Mining operation had infected 270,741 computers in 135 countries. In response to the Azerbaijan CERT’s report, security researcher Will Thomas (aka “BushidoToken”) created YARA and Sigma rules for what he calls “UniversalMiner” and mapped the tactics, techniques, and procedures (TTP). He ran a VT retrohunt with his YARA rule in late November 2024 and uncovered 600 samples of the malware at that time. To add to that, the Zephyr Miner Malware collection on VirusTotal based on Quick Heal’s article currently has 178 files in the collection, more evidence that this activity is widespread.

UPDATE: GitHub repositories and remote resource IOCs

As we mentioned earlier, XMRig requires configuration details to successfully execute. These files are typically in JSON format and installed alongside XMRig binaries, but we didn’t see any evidence of JSON file creation when we were investigating Tangerine Turkey. After additional analysis, we discovered what Azerbaijan’s CERT had already uncovered; Tangerine Turkey’s operators pull down miner configuration files from remote resources.

Some of the configuration data is stored in an adversary-controlled PostgreSQL database, as described in the CERT’s report.

Some configuration data is stored on adversary websites, including:

• rootunv[.]com
• rootunvdwl[.]com
• rootuniversal[.]com
• unvdwl[.]com
• unvdwx[.]com
• unvrcvx[.]com
• rundwl[.]com

Additionally, configuration files are also stored on public GitHub repositories. Azerbaijan’s CERT found and reported the GitHub profile rootunv in October 2024 as part of their investigation into the Universal Mining Operation, and it was taken down.

Additional profiles we assess to be related to Tangerine Turkey that appear to also have been taken down prior to our investigation include:

• unvd01
• panchito10
• panchitopistolesx
• rootbossko

As part of Red Canary’s investigation, we reported additional GitHub profiles with repositories we assess to be related to Tangerine Turkey activity, and are happy to share that at this time it appears they have been taken down:

• unvdwl
• runvd01
• unvcosmos
• rootunvbot
• unvdwx
• rmonero

Take action

We will continue our research, and since this activity is so widespread we would be interested to hear from other researchers who may also be tracking it under different names.

We were first alerted to Tangerine Turkey’s activity due to their use of printui.exe in a suspicious location, presenting a detection opportunity.

Detection opportunity: printui.exe relocated to a suspicious location

This pseudo detection analytic identifies instances of printui.exe relocated outside of Windows\System32. Relocation of this binary outside of System32 will be highly unusual, although third-party system administrative binaries may occasionally utilize a relocated and/or renamed version of the binary. Vulnerable DLLs like printui.dll can be abused by threats like Tangerine Turkey for DLL search order hijacking and side-loading. Here at Red Canary we have profiled System32 binaries, collected and stored their expected metadata, and used the information to build detection analytics. We published a blog sharing how you can do the same.

process_path_is_unexpected == (printui)

* See this blog for more details on how to create these types of detection analytics