Malicious USB Drives with VictoryGate Botnet Intended For Crypto-mining

'VictoryGate' Botnet Infected 35,000 Devices via USB Drives

27 April Kathmandu, 2020

An undocumented botnet “VictoryGate” has been active since May 2019. This botnet has infected systems mainly from Latin America. Peru has been most affected where over 90% of the compromised devices are located.

ESET, a cybersecurity researcher on Thursday informed that they took down a portion of the malware botnet. This botnet comprises at least 35,000 compromised devices. Most of the devices have been affected due to the use of removable devices specifically USB drives.

How does this botnet affect?

ESET describes the main activity of the botnet is mining Monero cryptocurrency. Miners have to confirm the transactions of cryptocurrency in the network. They are an important part of the transaction of cryptocurrency.

The botnet has not just affected individual users but has also made organizations its victims. Organizations, both public and private sectors, including financial institutions have been affected by the botnet.

According to ESET researchers, VictoryGate propagates via USB drives. These devices, when connected to the machine, install a malicious payload into the system.

The malicious code affects the device by using a very high resource of the device. The malicious code uses available threads to perform crypto mining. This results in a 90-99% CPU load which slows down the devices. It can cause overheating and possible system damage internally or in some cases externally as well.

They stated that according to the estimation of an average hash rate of 150H/s, the authors of the campaign have collected at least 80 Monero from this botnet. This amount is approximately $6000.


Cryptocurrency is like a digital form of currency. The asset designed to work as a medium of exchange that uses strong cryptography to secure financial transactions. It has become most popular at the time that it has ever been.

Monero is an open-source cryptocurrency with the CryptoNight Hash function. It was created in April 2014 and is popular in the digital world. The botnet has been crypto-mining this cryptocurrency.

More About Cryptocurrency:

Cryptocurrency Mining

Cryptocurrency Mining or also known as crypto mining is a process in which transactions for various forms of cryptocurrency are verified. Then they are added to the blockchain digital ledger. These blockchain serves to confirm transactions to the rest of the network while the transactions are taking place.

What is being done to monitor the botnet?

ESET in their press release informed that they are working with dynamic DNS provider No-IP to take down the malicious command-and-control (C2) servers. They have also set up fake domains to monitor the botnet’s activity.

In the ESET press release, they mentioned that the researchers have been “sinkholing” several domain names that control the botnet’s actions. Then replacing it with machines that do not send the affected computers the commands they expect. These are used to monitor botnet activity.

The sinkhole data from February to March 2020 shows that upto nearly 3,500 infected computers connected to the C2 servers on a daily basis.

What now?

ESET warns of more new infections that could occur in the future with USB drives being used as a propagation vector. The bot won’t receive secondary payload with a significant chunk of C2 infrastructure sinkhole. However, those that were compromised before the C2 servers were shut down would continue to mine cryptocurrency.


Please enter your comment!
Please enter your name here