Tiggre

Category: cryptominer · Aliases: Trojan.Tiggre, CoinMiner.Tiggre, Win32/Tiggre · Sample count (EMBER 2018): 1,728 · Enrichment: documented_reference_only · Updated: 2026-07-02T07:49:34Z

Overview

Executive Summary

Tiggre (often detected as Trojan.Tiggre or CoinMiner.Tiggre) is a malicious Trojan heavily associated with unauthorized cryptocurrency mining (cryptojacking). It covertly infiltrates Windows systems and aggressively hijacks the host's CPU and GPU resources to mine cryptocurrencies (typically Monero) for the financial benefit of the attackers. Tiggre is known for its aggressive persistence mechanisms and significant impact on system performance.

Infection Vector and Technical Capabilities

Tiggre is primarily distributed through untrustworthy file-sharing networks, often bundled with pirated software, cracked games, or illegal keygens. Users unwittingly install the miner when attempting to install the pirated application. Once active, it focuses entirely on resource hijacking and stealth:

Threat Assessment

While Tiggre generally does not steal data or deploy ransomware, it severely degrades endpoint performance. The intense, continuous workload placed on the CPU/GPU causes excessive heat, significantly reduces hardware lifespan, and renders the machine practically unusable for legitimate business tasks, resulting in high IT support costs.

Incident Response and Remediation

Known aliases

Threat reports may refer to this family under multiple names:

MITRE ATT&CK Techniques

This family has been observed using the following ATT&CK techniques: T1496 T1547.001 T1562.001

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_TIGGRE {
    meta:
        description = "Detects Tiggre (cryptominer)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "tiggre" ascii wide nocase
        $s2 = "trojan.tiggre" ascii wide nocase
        $s3 = "coinminer.tiggre" ascii wide nocase
        $s4 = "win32/tiggre" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Tiggre Activity
id: 1e147f3cc609225a5aabe3e11d96bb8a
status: experimental
description: Detects generic indicators of the tiggre malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*tiggre*"
            - "*trojan.tiggre*"
            - "*coinminer.tiggre*"
            - "*win32/tiggre*"
    condition: selection
level: medium

References & External Analysis

Frequently Asked Questions

Where can I learn more about tiggre?

Refer to the linked MITRE ATT&CK technique pages, which document the behaviors associated with this family.

Related Families (Category: cryptominer)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/tiggre.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.