A cryptomining trojan is malware that hijacks endpoint compute resources to mine cryptocurrency for an attacker. It typically prioritises persistence, low-visibility execution, and control-channel telemetry over data theft, which makes it financially motivated but still operationally disruptive and governance-relevant.
Expanded Definition
A cryptomining trojan is a form of malware that covertly turns victim infrastructure into an unauthorised mining workload, usually by installing a miner, maintaining persistence, and suppressing visible performance impact. Its defining feature is not data exfiltration but the covert diversion of compute, power, and cloud spend for attacker gain. In practice, it often blends commodity malware tradecraft with simple command-and-control behaviour, making it easier to deploy at scale and harder to notice until resource consumption trends become abnormal.
Within cybersecurity, the term is best understood as a workload abuse problem as much as a malware problem. The NIST Cybersecurity Framework 2.0 is useful here because it frames the need to identify assets, protect workloads, detect anomalies, and recover from compromise. Definitions vary across vendors on whether a browser-based miner, a trojanised installer, or a cloud instance hijack all qualify under the same label, so the safest interpretation is behavioural rather than packaging-based. The most common misapplication is calling any CPU spike a cryptomining trojan, which occurs when teams skip validation of persistence, mining pools, or suspicious process lineage.
Examples and Use Cases
Implementing detection for cryptomining trojans rigorously often introduces a tuning burden, requiring organisations to weigh alert fidelity against the risk of missing low-and-slow abuse.
- A workstation runs a hidden miner after a user opens a trojanised installer, and the malware re-launches through startup persistence after reboot.
- A compromised Linux server begins connecting to public mining pools, while endpoint tools show sustained CPU usage and unusual child processes.
- A cloud workload is hijacked through exposed credentials, and the attacker mines from a container until spend spikes and autoscaling hides the abuse.
- An infected VDI environment degrades user experience because the miner throttles itself during business hours and increases activity overnight.
- A security team correlates mining traffic with suspicious scheduled tasks and outbound connections, then uses guidance from MITRE ATT&CK to map persistence and command-and-control behaviours associated with the intrusion chain.
These examples show why cryptomining trojans can appear operationally “quiet” while still consuming meaningful resources and creating a foothold for follow-on activity. Security teams also use detection engineering and process tree review to separate legitimate compute workloads from malicious ones, especially in environments where mining-like behaviour can be mistaken for batch jobs or analytics pipelines.
Why It Matters for Security Teams
Cryptomining trojans matter because they turn security incidents into cost incidents, availability incidents, and governance incidents at the same time. They can mask deeper compromise, exhaust endpoint and cloud capacity, and create noisy telemetry that distracts analysts from higher-risk threats. In environments with strong identity controls, they often expose a different failure mode: stolen credentials, weak privilege boundaries, or unmanaged software installation paths that let attackers persist long enough to monetise access. For that reason, the term intersects with identity security whenever a miner is delivered through compromised accounts, abused service principals, or exposed secrets.
From a control perspective, defensive teams should align telemetry, asset ownership, and containment workflows so that abnormal resource usage triggers investigation rather than blame on “performance issues.” That operational pattern matches the broader intent of CISA guidance on disruption-aware response and hardening, even when the immediate payload is not ransomware. Organisations also benefit from tracking how miner deployments enter through OWASP guidance on abuse pathways when AI-assisted tooling or automated code generation introduces risky dependencies, although the specifics depend on the environment. Organisations typically encounter the full impact only after cloud bills, user complaints, or endpoint slowdowns force investigation, at which point cryptomining trojans become operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST AI RMF, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | DE.CM-1 | Cryptomining trojans are detected through continuous monitoring of assets and anomalous resource use. |
| OWASP Non-Human Identity Top 10 | Trojans often persist by abusing secrets and unmanaged identities tied to workloads or services. | |
| NIST AI RMF | AI systems can help detect anomalous compute abuse, but controls must manage misuse and operational risk. | |
| NIST SP 800-53 Rev 5 | SI-3 | Malicious code controls address trojanised miners and related malware payloads. |
| NIST Zero Trust (SP 800-207) | SC-7 | Zero Trust limits lateral movement and outbound abuse channels used by mining trojans. |
Monitor endpoints and cloud workloads for sustained CPU abuse, mining traffic, and suspicious process behaviour.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org