MITRE ATT&CK Technique
Description
Adversaries may leverage the compute resources of co-opted systems to complete resource-intensive tasks, which may impact system and/or hosted service availability. One common purpose for [Compute Hijacking](https://attack.mitre.org/techniques/T1496/001) is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood Blog 2017) Servers and cloud-based systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for [Compute Hijacking](https://attack.mitre.org/techniques/T1496/001) and cryptocurrency mining.(Citation: CloudSploit - Unused AWS Regions) Containerized environments may also be targeted due to the ease of deployment via exposed APIs and the potential for scaling mining activities by deploying or compromising multiple containers within an environment or cluster.(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro Exposed Docker APIs) Additionally, some cryptocurrency mining malware identify then kill off processes for competing malware to ensure it’s not competing for resources.(Citation: Trend Micro War of Crypto Miners)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2024-09-25T13:34:30.100Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may leverage the compute resources of co-opted '
'systems to complete resource-intensive tasks, which may '
'impact system and/or hosted service availability. \n'
'\n'
'One common purpose for [Compute '
'Hijacking](https://attack.mitre.org/techniques/T1496/001) is '
'to validate transactions of cryptocurrency networks and earn '
'virtual currency. Adversaries may consume enough system '
'resources to negatively impact and/or cause affected machines '
'to become unresponsive.(Citation: Kaspersky Lazarus Under The '
'Hood Blog 2017) Servers and cloud-based systems are common '
'targets because of the high potential for available '
'resources, but user endpoint systems may also be compromised '
'and used for [Compute '
'Hijacking](https://attack.mitre.org/techniques/T1496/001) and '
'cryptocurrency mining.(Citation: CloudSploit - Unused AWS '
'Regions) Containerized environments may also be targeted due '
'to the ease of deployment via exposed APIs and the potential '
'for scaling mining activities by deploying or compromising '
'multiple containers within an environment or '
'cluster.(Citation: Unit 42 Hildegard Malware)(Citation: Trend '
'Micro Exposed Docker APIs)\n'
'\n'
'Additionally, some cryptocurrency mining malware identify '
'then kill off processes for competing malware to ensure it’s '
'not competing for resources.(Citation: Trend Micro War of '
'Crypto Miners)',
'external_references': [{'external_id': 'T1496.001',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1496/001'},
{'description': 'Chen, J. et al. (2021, February 3). '
'Hildegard: New TeamTNT Cryptojacking '
'Malware Targeting Kubernetes. '
'Retrieved April 5, 2021.',
'source_name': 'Unit 42 Hildegard Malware',
'url': 'https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/'},
{'description': 'CloudSploit. (2019, June 8). The '
'Danger of Unused AWS Regions. '
'Retrieved October 8, 2019.',
'source_name': 'CloudSploit - Unused AWS Regions',
'url': 'https://medium.com/cloudsploit/the-danger-of-unused-aws-regions-af0bf1b878fc'},
{'description': 'GReAT. (2017, April 3). Lazarus '
'Under the Hood. Retrieved April 17, '
'2019.',
'source_name': 'Kaspersky Lazarus Under The Hood '
'Blog 2017',
'url': 'https://securelist.com/lazarus-under-the-hood/77908/'},
{'description': 'Oliveira, A. (2019, May 30). '
'Infected Containers Target Docker '
'via Exposed APIs. Retrieved April 6, '
'2021.',
'source_name': 'Trend Micro Exposed Docker APIs',
'url': 'https://www.trendmicro.com/en_us/research/19/e/infected-cryptocurrency-mining-containers-target-docker-hosts-with-exposed-apis-use-shodan-to-find-additional-victims.html'},
{'description': 'Oliveira, A., Fiser, D. (2020, '
'September 10). War of Linux '
'Cryptocurrency Miners: A Battle for '
'Resources. Retrieved April 6, 2021.',
'source_name': 'Trend Micro War of Crypto Miners',
'url': 'https://www.trendmicro.com/en_us/research/20/i/war-of-linux-cryptocurrency-miners-a-battle-for-resources.html'}],
'id': 'attack-pattern--a718a0c8-5768-41a1-9958-a1cc3f995e99',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'impact'}],
'modified': '2025-04-15T22:08:46.014Z',
'name': 'Compute Hijacking',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_impact_type': ['Availability'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows', 'IaaS', 'Linux', 'macOS', 'Containers'],
'x_mitre_version': '1.0'}