Xmrig

Category: cryptominer · Aliases: None known · Sample count (EMBER 2018): 248 · Enrichment: curated_sourced · Updated: 2026-06-11

Overview

XMRig is a legitimate, open-source application that uses a system's CPU to mine the Monero cryptocurrency. Because it is freely available, criminals abuse it by installing it on victims' machines without consent to mine cryptocurrency for their own profit, a form of cryptojacking. It often runs silently in the background, consuming heavy system resources and slowing down the computer. According to PCrisk, XMRig is frequently delivered through "bundling," a deceptive distribution method in which unwanted software is installed alongside other downloads, often together with adware-type applications that show intrusive ads and collect data. XMRig is documented by Fraunhofer FKIE's Malpedia.

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_XMRIG {
    meta:
        description = "Detects Xmrig (cryptominer)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "xmrig" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Xmrig Activity
id: 98f261bfbad2c4a220b186cab7610e68
status: experimental
description: Detects generic indicators of the xmrig malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*xmrig*"
    condition: selection
level: medium

References & External Analysis

Frequently Asked Questions

What is XMRig?

XMRig is a legitimate, open-source program that uses a computer's CPU to mine the Monero cryptocurrency. It becomes a security concern when criminals install it on systems without the owner's consent.

Why is XMRig considered malicious in some cases?

Although XMRig itself is legitimate, attackers deploy it on victims' machines without permission to mine cryptocurrency for their own profit. Using someone's computer to mine without consent is known as cryptojacking.

How does unwanted XMRig get installed?

According to PCrisk, XMRig is often spread through "bundling," where it is installed alongside other downloads. It frequently arrives together with adware-type applications that display intrusive ads and gather information.

What are the symptoms of an XMRig infection?

Victims typically experience severe performance degradation, high CPU usage, loud cooling fans, and general system sluggishness due to the intense computational demands of cryptocurrency mining.

What sources document XMRig?

XMRig is profiled in Fraunhofer FKIE's Malpedia, and its abuse via bundling has been described in vendor analyses such as those referenced by PCrisk.

Related Families (Category: cryptominer)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/xmrig.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.