Miuref

Category: click_fraud · Aliases: None known · Sample count (EMBER 2018): 7 · Enrichment: expert-seo · Updated: 2026-06-09

Overview

Trojan:Win32/Miuref (also known in the cybersecurity community as **Boaxxe**) is a massive, highly resilient botnet primarily focused on generating illicit revenue for its operators through aggressive, automated click-fraud and search engine hijacking. It silently compromises endpoints, turning them into invisible ad-clicking nodes that drain marketing budgets and artificially inflate web traffic statistics.

Understanding the Miuref Botnet
To an end-user, a Miuref infection might manifest as sluggish internet performance or unexpected search engine redirections. However, for a security operations center (SOC), the presence of Miuref indicates a compromised endpoint that is actively communicating with a known criminal infrastructure. Because click-fraud botnets are primarily financially motivated rather than destructive, they are designed to be extremely stealthy, often residing on systems for months without detection.

Execution and Click-Fraud Mechanics
Miuref is typically distributed via malvertising campaigns, exploit kits (`T1189`), or bundled with pirated software (`T1204.002`). Upon execution, it establishes persistence via the Registry Run keys or hidden Scheduled Tasks (`T1053.005`). Its core functionality involves injecting malicious DLLs into legitimate web browser processes (like `chrome.exe` or `iexplore.exe`) (`T1055.001`). Once injected, Miuref operates entirely in the background. It reaches out to its Command-and-Control (C2) server (`T1071.001`) to download lists of target URLs and advertisement banners. Using the context of the hijacked browser, it silently navigates to these URLs, simulates user clicks on the advertisements, and intercepts search queries, redirecting the user's browser to affiliate marketing pages (`T1185`) to generate revenue.

Indicators of Compromise & Impact
The primary impact is the unauthorized consumption of network bandwidth, the degradation of endpoint performance, and the endpoint's participation in large-scale advertising fraud. The most glaring IoC is a high volume of outbound HTTP/HTTPS traffic to known adware tracking domains or suspicious, low-reputation ad networks, often occurring when the user is not actively browsing. EDR alerts for DLL injection into browser processes are critical indicators.

MITRE ATT&CK Techniques

Observed techniques used by this family, mapped to the MITRE ATT&CK framework:

TechniqueNameTactic
T1189Drive-by Compromise (Malvertising delivery)Initial Access
T1055.001Process Injection: Dynamic-link Library Injection (Injecting into browsers)Defense Evasion
T1185Browser Session Hijacking (Search redirection and silent clicking)Collection
T1071.001Application Layer Protocol: Web Protocols (C2 communication for ad lists)Command and Control

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_MIUREF {
    meta:
        description = "Detects Miuref (click_fraud)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "miuref" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Miuref Activity
id: 820b6b29e769599d12600489e82e9d4a
status: experimental
description: Detects generic indicators of the miuref malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*miuref*"
    condition: selection
level: medium

Containment & Response Steps

Ordered checklist for responders. Adapt to your environment and engage professional support for active incidents.

  1. Isolate the endpoint from the network to sever its connection to the Miuref C2 server and halt the click-fraud activity.
  2. Utilize EDR to identify and terminate the specific browser processes that have been injected with the malicious Miuref DLLs.
  3. Deploy a comprehensive malware removal tool to strip the persistence mechanisms (Registry keys/Scheduled Tasks) and delete the injected binaries.
  4. Review firewall and proxy logs to identify the C2 domains and block them enterprise-wide.

What to Avoid

Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.

  1. Do not ignore the infection simply because it isn't ransomware; compromised endpoints can be upgraded by the botmaster to deliver more severe payloads at any time.
  2. Avoid relying solely on clearing the browser cache or resetting extensions, as the infection resides at the operating system level, injecting directly into the process memory.

References & External Analysis

Related Families (Category: click_fraud)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/miuref.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.