The Reveal Platform
Intel Name: Old miner, new tricks
Date of Scan: July 17, 2025
Impact: High
Summary: We recently investigated a cluster of VPSs used for Monero mining, linked to updated samples from past H2miner campaigns. H2miner, active since late 2019, is a crypto-mining botnet, while Lcryx (aka Lcrypt0rx) is a VBScript-based ransomware first seen in November 2024. Lcryx shows signs of AI-generated code and unusual behavior, marking its first overlap with H2miner operations. This suggests possible collaboration, tool reuse, or cross-platform targeting to boost financial gains and obscure attribution.
