XMRig is a legitimate, open-source application that uses a system's CPU to mine the Monero cryptocurrency. Because it is freely available, criminals abuse it by installing it on victims' machines without consent to mine cryptocurrency for their own profit, a form of cryptojacking. It often runs silently in the background, consuming heavy system resources and slowing down the computer. According to PCrisk, XMRig is frequently delivered through "bundling," a deceptive distribution method in which unwanted software is installed alongside other downloads, often together with adware-type applications that show intrusive ads and collect data. XMRig is documented by Fraunhofer FKIE's Malpedia.
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.
rule MALWARE_WIN_XMRIG {
meta:
description = "Detects Xmrig (cryptominer)"
author = "SystemHelpdesk Boilerplate Generator"
date = "2026-07-06"
strings:
$s1 = "xmrig" ascii wide nocase
condition:
uint16(0) == 0x5a4d and any of them
}title: Suspicious Xmrig Activity
id: 98f261bfbad2c4a220b186cab7610e68
status: experimental
description: Detects generic indicators of the xmrig malware family.
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains:
- "*xmrig*"
condition: selection
level: mediumXMRig is a legitimate, open-source program that uses a computer's CPU to mine the Monero cryptocurrency. It becomes a security concern when criminals install it on systems without the owner's consent.
Although XMRig itself is legitimate, attackers deploy it on victims' machines without permission to mine cryptocurrency for their own profit. Using someone's computer to mine without consent is known as cryptojacking.
According to PCrisk, XMRig is often spread through "bundling," where it is installed alongside other downloads. It frequently arrives together with adware-type applications that display intrusive ads and gather information.
Victims typically experience severe performance degradation, high CPU usage, loud cooling fans, and general system sluggishness due to the intense computational demands of cryptocurrency mining.
XMRig is profiled in Fraunhofer FKIE's Malpedia, and its abuse via bundling has been described in vendor analyses such as those referenced by PCrisk.
Explore other malware families in the same category:
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/xmrig.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.