China hit by crypto-jacking campaign

On Wednesday, Trend Micro’s Smart Protection Network revealed a recent wave of crypto-jacking attacks against China.

The crypto-jacking campaign dubbed “PCASTLE” that was first observed on May 17th remains on-going. The majority of the campaign (92%) is targeting China, though it has been noted that no specific industry is being targeted due to the nature of the propagation methods used in the attacks.

PCASTLE uses multiple propagation methods to deliver the cryptocurrency-mining malware, including using a multilayered fireless approach which allows the malicious PowerShell scripts to download payloads and execute them in memory only.

“The final PowerShell script, which is also executed in memory, packs all the malicious routines: using an SMB exploit (EternalBlue), brute-forcing the system, employing the pass-the-hash method, and downloading payloads.”

Trend Micro wrote:

“The campaign’s operators also do not seem to care who gets affected, as long as they get infected.”

It remains unclear as to why the attackers are concentrating their activities on China-based systems, nevertheless it is clear from the campaign that fireless threats are not going to disappear anytime soon.

“In fact, we project that file-less techniques will be among the most prevalent threats used in the current landscape,” Trend Micro added.

Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.