LemonDuck has evolved from a Monero cryptominer into LemonCat, a Trojan that specializes in backdoor installation, credential and data theft, and malware delivery, according to the Microsoft 365 Defender Threat Intelligence Team, which explained their findings in a two-part story [1][2] on the Microsoft Security blog.

LemonDuck

Trojan.LemonDuck has always been an advanced cryptominer that is actively being updated with new exploits and obfuscation tricks. Among others, it aims to evade detection with its fileless miner. LemonDuck’s threat to enterprises is also the fact that it’s a cross-platform threat. It’s one of a few documented bot families that targets Linux systems as well as Windows devices. Trojan.LemonDuck uses several methods for the initial infection and to propagate across networks: