Guardicore Labs has been tracking the Smominru botnet and its different variants – Hexmen and Mykings – since 2017. The attack compromises Windows machines using an EternalBlue exploit and brute-force on various services, including MS-SQL, RDP, Telnet and more. In its post-infection phase, it steals victim credentials, installs a Trojan module and a cryptominer and propagates inside the network. \r\n In this post, Guardicore Labs provides an in-depth analysis of the attack campaign, focusing on victim analysis and attack infrastructure. Additionally, we have published a  script  to detect Smominru’s residues on infected machines, as well as a full list of the campaign  IoCs . \r\n Among other things, we found that many machines were reinfected even after removing Smominru. This suggests that these systems remain unpatched, and therefore vulnerable to this botnet or other similar attackers.…