Threat Actor Profile
High APT
Description

Blue Mockingbird is a cluster of observed activity involving Monero cryptocurrency-mining payloads in dynamic-link library (DLL) form on Windows systems. The earliest observed Blue Mockingbird tools were created in December 2019.(Citation: RedCanary Mockingbird May 2020)

Confidence Score
90%
Known Aliases
Blue Mockingbird
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (22)
T1090 - Proxy
Command and Control
T1003.001 - LSASS Memory
Credential Access
T1027.013 - Encrypted/Encoded File
Defense Evasion
T1036.005 - Match Legitimate Resource Name or Locat…
Defense Evasion
T1112 - Modify Registry
Defense Evasion
T1134 - Access Token Manipulation
Defense Evasion
T1218.010 - Regsvr32
Defense Evasion
T1218.011 - Rundll32
Defense Evasion
T1082 - System Information Discovery
Discovery
T1047 - Windows Management Instrumentation
Execution
T1053.005 - Scheduled Task
Execution
T1059.001 - PowerShell
Execution
T1059.003 - Windows Command Shell
Execution
T1569.002 - Service Execution
Execution
T1496.001 - Compute Hijacking
Impact
T1190 - Exploit Public-Facing Application
Initial Access
T1021.001 - Remote Desktop Protocol
Lateral Movement
T1021.002 - SMB/Windows Admin Shares
Lateral Movement
T1543.003 - Windows Service
Persistence
T1574.012 - COR_PROFILER
Persistence
T1546.003 - Windows Management Instrumentation Even…
Privilege Escalation
T1588.002 - Tool
Resource Development
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['Blue Mockingbird'],
 'created': '2020-05-26T20:09:39.139Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[Blue Mockingbird](https://attack.mitre.org/groups/G0108) is '
                'a cluster of observed activity involving Monero '
                'cryptocurrency-mining payloads in dynamic-link library (DLL) '
                'form on Windows systems. The earliest observed Blue '
                'Mockingbird tools were created in December 2019.(Citation: '
                'RedCanary Mockingbird May 2020)',
 'external_references': [{'external_id': 'G0108',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0108'},
                         {'description': 'Lambert, T. (2020, May 7). '
                                         'Introducing Blue Mockingbird. '
                                         'Retrieved May 26, 2020.',
                          'source_name': 'RedCanary Mockingbird May 2020',
                          'url': 'https://redcanary.com/blog/blue-mockingbird-cryptominer/'}],
 'id': 'intrusion-set--73a80fab-2aa3-48e0-a4d0-3a4828200aee',
 'modified': '2024-07-10T18:53:44.277Z',
 'name': 'Blue Mockingbird',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_contributors': ['Tony Lambert, Red Canary'],
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '1.3'}
Quick Actions
Related TTPs (22)
Proxy
Command and Control
LSASS Memory
Credential Access
Encrypted/Encoded File
Defense Evasion
Match Legitimate Resource Nam…
Defense Evasion
Modify Registry
Defense Evasion
View All 22 TTPs
Back to Threat Actors
Dashboard Home