[PenguinCoder]

This activity is steps above a normal botnet or threat actor such as standard ransomware operators. Not only living off the land, but taking care to blend in to the device/environment, not just dropping a randomly named blob. They show a narrow focus of targeting, awareness for evasion, and skill at maintaining persistence. This level of sophistication is not normal, for normal incidents.

[daniel-cussen]

I bet sometimes they kick out bots that are competing for resources. Or at least scan for the other bots and carve it out, otherwise when there's two that's when they both start mining full blast, they each try to cash in the crypto keys on the computer before the other one does, and the user gets around to reinstalling the OS because his computer is unusable.

[xemdetia]

Based on the places where they were putting their threats I doubt mining was their goal. It sounds more that they were spelunking in case they wanted to ransomware and/or just wanting the information in a straightforward way. I wonder if also they were just using these servers as a foothold to attack something else. If you are mixing your traffic among an org's business presence it would be difficult to chase as a hop.

[ghostbrainalpha]

Ya, this definitely wasn't about mining.

There isn't much info to go on, but it almost sounds like they were after the type of financial data that would be useful for insider trading.

[flutas]

Based on the article they were targeting Office 365 on prem email instances for market mover events (acquisitions, new clients, etc)

[girvo]

It honestly sounds like state-sponsored (or at least extremely competent) corporate espionage. To what end, I do not know. Wild.