Home/ Threat Actors/ Blue Mockingbird

🌐Blue Mockingbird

🌐 Blue Mockingbird is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: Unknown. We map 14 detection use cases to this actor across 22 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0108) ↗

14Use cases

0Articles

22Techniques

0IOCs

About this actor (MITRE)

[Blue Mockingbird](https://attack.mitre.org/groups/G0108) is a cluster of observed activity involving Monero cryptocurrency-mining payloads in dynamic-link library (DLL) form on Windows systems. The earliest observed Blue Mockingbird tools were created in December 2019.(Citation: RedCanary Mockingbird May 2020)

Known aliases

Blue Mockingbird

Top techniques

T1003.001 · LSASS Memory T1021.001 · Remote Desktop Protocol T1021.002 · SMB/Windows Admin Shares

All other tracked techniques

T1027.013 · Encrypted/Encoded File T1036.005 · Match Legitimate Resource Name or Location T1047 · Windows Management Instrumentation T1053.005 · Scheduled Task T1059.001 · PowerShell T1059.003 · Windows Command Shell T1082 · System Information Discovery T1090 · Proxy T1112 · Modify Registry T1134 · Access Token Manipulation T1190 · Exploit Public-Facing Application T1218.010 · Regsvr32 T1218.011 · Rundll32 T1496.001 · Compute Hijacking T1543.003 · Windows Service T1546.003 · Windows Management Instrumentation Event Subscription T1569.002 · Service Execution T1574.012 · COR_PROFILER T1588.002 · Tool

Detection use cases (14)

Blue Mockingbird COR_PROFILER DLL hijack persistence (Monero crypto-mining loader) AI · profile SΣ Blue Mockingbird Telerik exploit → IIS worker spawning regsvr32/wmic mining DLL AI · profile S Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint MITRE match Server / AI-agent process spawns shell or LOLBIN with public egress — post-RCE behavioural chain MITRE match Service-process parent spawns subprocess containing CLI-argument-injection tokens MITRE match Authentication not detected on admin API endpoint MITRE match AWS S3 bucket ACL / policy made public MITRE match Excessive resource consumption of third-party API MITRE match Fake CAPTCHA / clipboard-injected PowerShell (ClickFix / FakeCaptcha) MITRE match JWT authentication bypass attempt MITRE match Local File Inclusion (LFI) exploited MITRE match LSASS process access / dump (credential theft) MITRE match