Blue Mockingbird
MITRE
Type:
Unknown
Unknown
Country:
Unknown
Unknown
First seen:
Unknown
Unknown
Details:
[Blue Mockingbird](https://attack.mitre.org/groups/G0108) is a cluster of observed activity involving Monero cryptocurrency-mining payloads in dynamic-link library (DLL) form on Windows systems. The earliest observed Blue Mockingbird tools were created in December 2019.(Citation: RedCanary Mockingbird May 2020)
MITRE ATT&CK:
View on MITRE
Techniques Used (22)
| ID | ATT&CK | Tactics |
|---|---|---|
| T1003.001 | LSASS Memory | - |
| T1021.001 | Remote Desktop Protocol | - |
| T1021.002 | SMB/Windows Admin Shares | - |
| T1027.013 | Encrypted/Encoded File | - |
| T1036.005 | Match Legitimate Resource Name or Location | - |
| T1047 | Windows Management Instrumentation | - |
| T1053.005 | Scheduled Task | - |
| T1059.001 | PowerShell | - |
| T1059.003 | Windows Command Shell | - |
| T1082 | System Information Discovery | - |
| T1090 | Proxy | - |
| T1112 | Modify Registry | - |
| T1134 | Access Token Manipulation | - |
| T1190 | Exploit Public-Facing Application | - |
| T1218.010 | Regsvr32 | - |
Related Malware (2)
Metadata
| ID: | 908 |
| Created: | 13/01/2026 17:48 |
| Updated: | 21/04/2026 16:00 |