# [HIGH] Qinglong task scheduler RCE vulnerabilities exploited in the wild for cryptomining **Source:** Snyk **Published:** 2026-04-27 **Article:** https://snyk.io/blog/qinglong-task-scheduler-rce-vulnerabilities/ ## Threat Profile Snyk Blog In this article Written by Julia Kinday April 27, 2026 0 mins read In early February 2026, users of Qinglong (青龙), a popular open source timed task management platform with over 19,000 GitHub stars, began reporting that their servers were maxing out CPU usage. The cause was a cryptominer binary called .fullgc , deployed through two authentication bypass vulnerabilities that allowed unauthenticated remote code execution. The attacks went largely unnoticed in the English-speaking securi… ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2026-3965` - **CVE:** `CVE-2026-4047` - **Domain (defanged):** `file.551911.xyz` ## MITRE ATT&CK Techniques - **T1190** — Exploit Public-Facing Application - **T1053.005** — Scheduled Task - **T1071** — Application Layer Protocol - **T1204.002** — User Execution: Malicious File - **T1556** — Modify Authentication Process - **T1059.004** — Command and Scripting Interpreter: Unix Shell - **T1071.001** — Application Layer Protocol: Web Protocols - **T1105** — Ingress Tool Transfer - **T1564.001** — Hide Artifacts: Hidden Files and Directories - **T1036.005** — Masquerading: Match Legitimate Name or Location - **T1496** — Resource Hijacking ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### Qinglong CVE-2026-3965 auth bypass via /open/user/init credential reset `UC_353_4` · phase: **exploit** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=t count min(_time) as firstTime max(_time) as lastTime from datamodel=Web.Web where (Web.http_method="PUT" OR Web.http_method="POST") (Web.url="*/open/user/init*" OR Web.uri_path="*/open/user/init*") by Web.src, Web.dest, Web.url, Web.http_method, Web.http_user_agent, Web.status | `drop_dm_object_name("Web")` | eval qinglong_panel=if(match(dest_port,"5700") OR match(url,"5700"),"yes","unknown") | where status>=200 AND status<400 | convert ctime(firstTime) ctime(lastTime) ``` **Defender KQL:** ```kql // Defender XDR cannot observe inbound HTTP request paths to a Linux container app. // Pivot to follow-on artefact: node (qinglong) process spawning a shell that touches // the admin auth/config layer shortly after exploitation, OR the Qinglong app restarting // unexpectedly (config.sh write triggers restart per article). DeviceProcessEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName in~ ("node","node.exe","pm2","ts-node") | where InitiatingProcessCommandLine has_any ("qinglong","/ql/build","/ql/src","@whyour/qinglong") | where FileName in~ ("sh","bash","dash","ash") | where ProcessCommandLine has_any ("user/init","/open/user","config.sh","auth.db","db/auth") | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName | order by Timestamp desc ``` ### Qinglong CVE-2026-4047 case-mismatch auth bypass via /aPi/system/command-run `UC_353_5` · phase: **exploit** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=t count min(_time) as firstTime max(_time) as lastTime from datamodel=Web.Web where (Web.url="*/aPi/*" OR Web.url="*/Api/*" OR Web.url="*/aPI/*" OR Web.url="*/APi/*" OR Web.url="*/ApI/*" OR Web.url="*/API/*" OR Web.uri_path="*/aPi/*" OR Web.uri_path="*/Api/*") (Web.url="*/system/command-run*" OR Web.url="*/system/run-script*" OR Web.url="*/crons*") by Web.src, Web.dest, Web.url, Web.http_method, Web.http_user_agent, Web.status | `drop_dm_object_name("Web")` | where status>=200 AND status<400 | convert ctime(firstTime) ctime(lastTime) ``` **Defender KQL:** ```kql // Detects the qinglong node process spawning a shell with attacker-supplied command // when CVE-2026-4047 is exploited against /aPi/system/command-run. DeviceProcessEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName in~ ("node","node.exe","pm2","ts-node") | where InitiatingProcessCommandLine has_any ("qinglong","/ql/build","/ql/src","@whyour/qinglong") | where FileName in~ ("sh","bash","dash","ash","curl","wget") | where ProcessCommandLine has_any ("curl","wget","file.551911.xyz","/ql/data/db/.fullgc","nohup","chmod +x","$(uname","-fsSL") or ProcessCommandLine matches regex @"(?i)>\s*/dev/null\s+2>&1\s+&" | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName, SHA256 | order by Timestamp desc ``` ### Qinglong cryptominer payload download from file.551911.xyz `UC_353_6` · phase: **delivery** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=t count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Resolution.DNS where (DNS.query="file.551911.xyz" OR DNS.query="*.551911.xyz") by DNS.src, DNS.dest, DNS.query, DNS.answer | `drop_dm_object_name("DNS")` | append [ | tstats summariesonly=t count from datamodel=Endpoint.Processes where (Processes.process_name="curl" OR Processes.process_name="wget") (Processes.process="*file.551911.xyz*" OR Processes.process="*fullgc/Linux*" OR Processes.process="*fullgc/Darwin*") by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name | `drop_dm_object_name("Processes")` ] | convert ctime(firstTime) ctime(lastTime) ``` **Defender KQL:** ```kql // DNS / network egress + curl/wget command line referencing the article's exact payload host let PayloadHost = dynamic(["file.551911.xyz",".551911.xyz"]); let NetHits = DeviceNetworkEvents | where Timestamp > ago(30d) | where RemoteUrl has_any (PayloadHost) or RemoteUrl matches regex @"(?i)file\.551911\.xyz" | project Timestamp, DeviceName, ActionType, RemoteUrl, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName; let ProcHits = DeviceProcessEvents | where Timestamp > ago(30d) | where FileName in~ ("curl","wget","fetch","aria2c") | where ProcessCommandLine has_any ("file.551911.xyz","fullgc/Linux","fullgc/Darwin","fullgc/$(uname") | project Timestamp, DeviceName, ActionType="ProcessCreated", RemoteUrl=tostring(parse_url(ProcessCommandLine).Host), RemoteIP="", RemotePort=int(null), InitiatingProcessFileName=FileName, InitiatingProcessCommandLine=ProcessCommandLine, InitiatingProcessAccountName=AccountName; union NetHits, ProcHits | order by Timestamp desc ``` ### Hidden .fullgc cryptominer binary written to /ql/data/db/ `UC_353_7` · phase: **install** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=t count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_path="/ql/data/db/.fullgc" OR Filesystem.file_name=".fullgc") by Filesystem.dest, Filesystem.user, Filesystem.file_path, Filesystem.file_name, Filesystem.process_id, Filesystem.process_name, Filesystem.action | `drop_dm_object_name("Filesystem")` | convert ctime(firstTime) ctime(lastTime) ``` **Defender KQL:** ```kql DeviceFileEvents | where Timestamp > ago(30d) | where ActionType in ("FileCreated","FileRenamed","FileModified") | where (FolderPath has "/ql/data/db" and FileName == ".fullgc") or FolderPath endswith "/ql/data/db/.fullgc" or FileName == ".fullgc" | project Timestamp, DeviceName, ActionType, FolderPath, FileName, SHA256, FileSize, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessParentFileName | order by Timestamp desc ``` ### Qinglong .fullgc cryptominer execution with nohup backgrounding `UC_353_8` · phase: **install** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=t count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=".fullgc" OR Processes.process="*/ql/data/db/.fullgc*" OR Processes.process="*.fullgc*nohup*" OR Processes.process="*nohup*.fullgc*") by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name, Processes.parent_process | `drop_dm_object_name("Processes")` | eval suppressed_output=if(match(process,"(?i)>/dev/null\s+2>&1"),"yes","no") | eval backgrounded=if(match(process,"&\s*$"),"yes","no") | convert ctime(firstTime) ctime(lastTime) ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(30d) | where (FileName == ".fullgc") or FolderPath endswith "/ql/data/db/.fullgc" or ProcessCommandLine has "/ql/data/db/.fullgc" or (InitiatingProcessFileName in~ ("sh","bash","dash","nohup") and ProcessCommandLine matches regex @"(?i)nohup\s+[\"']?[^\s]*\.fullgc") | extend OutputSuppressed = tostring(ProcessCommandLine) matches regex @"(?i)>\s*/dev/null\s+2>&1" | extend Backgrounded = tostring(ProcessCommandLine) matches regex @"&\s*$" | project Timestamp, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine, SHA256, MD5, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName, OutputSuppressed, Backgrounded | order by Timestamp desc ``` ### Scheduled task created with suspicious image / encoded args `UC_SCHEDULED_TASK` · phase: **install** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="schtasks.exe" AND Processes.process="*/create*" AND (Processes.process="*powershell*" OR Processes.process="*cmd.exe*" OR Processes.process="*rundll32*" OR Processes.process="*-enc*" OR Processes.process="*FromBase64*" OR Processes.process="*\Users\Public*" OR Processes.process="*\AppData\*") by Processes.dest, Processes.user, Processes.process, Processes.parent_process_name | `drop_dm_object_name(Processes)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where AccountName !endswith "$" | where FileName =~ "schtasks.exe" | where ProcessCommandLine has "/create" | where ProcessCommandLine has_any ("powershell","cmd.exe","rundll32","-enc","FromBase64","\Users\Public","\AppData\") | project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName ``` ### Article-specific behavioural hunt — Qinglong task scheduler RCE vulnerabilities exploited in the wild for cryptomini `UC_353_3` · phase: **exploit** · confidence: **High** **Splunk SPL (CIM):** ```spl ``` Article-specific bespoke detection — Qinglong task scheduler RCE vulnerabilities exploited in the wild for cryptomini ``` | tstats `summariesonly` count earliest(_time) AS firstTime latest(_time) AS lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN ("express.js","next.js","config.sh")) by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name, Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | append [ | tstats `summariesonly` count from datamodel=Endpoint.Filesystem where Filesystem.action IN ("created","modified") AND (Filesystem.file_path="*/dev/null*" OR Filesystem.file_name IN ("express.js","next.js","config.sh")) by Filesystem.dest, Filesystem.user, Filesystem.process_name, Filesystem.file_path, Filesystem.file_name | `drop_dm_object_name(Filesystem)` ] ``` **Defender KQL:** ```kql // Article-specific bespoke detection — Qinglong task scheduler RCE vulnerabilities exploited in the wild for cryptomini // Hunts the actual binaries / paths / commandline fragments named // in the article instead of a generic technique-class template. DeviceProcessEvents | where Timestamp > ago(30d) | where (FileName in~ ("express.js", "next.js", "config.sh")) | project Timestamp, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc // File-creation events for the named binaries / paths DeviceFileEvents | where Timestamp > ago(30d) | where ActionType in ("FileCreated","FileModified") | where (FolderPath has_any ("/dev/null") or FileName in~ ("express.js", "next.js", "config.sh")) | project Timestamp, DeviceName, AccountName, FolderPath, FileName, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2026-3965`, `CVE-2026-4047` - **Network connections to article IPs / domains** ([template](../_TEMPLATES.md#network-ioc)) — phase: **c2**, confidence: **High** - IP / domain IOC(s): `file.551911.xyz` ## Why this matters Severity classified as **HIGH** based on: CVE present, IOCs present, 9 use case(s) fired, 11 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.