A threat group that was responsible for extorting victims with ransomware known as VenusLocker last year has now shifted its attention to cryptocurrency mining, according to new research.

In a Dec. 20 blog post, Fortinet's FortiGuard Labs division reports that the attackers are actively mining Monero by using the miner XMRig v2.4.2 to leverage the computing power of infected machines in South Korea.

Victims are infected via phishing emails that trick them into opening a malicious attachment that's compressed in EGG archive format. On such email purports to be from a garment merchant, warning recipients that their information leaked due to a breach, while another claims that the recipient's website liable for images that were abused without consent, Fortinet reports.

“As a basic attempt to hide this resource hogging operation, the miner is executed as a remote thread under the legitimate Windows component wuapp.exe, which is executed beforehand to avoid raising suspicions,” states blog post author and threat researcher Joie Salvio. But even if this miner is discovered and subsequently terminated, the parent process establishes persistence by immediately opening it back up – meaning the parent process itself was be terminated, Fortinet explains.

Fortinet analysts conclude that the miner targets Monero, instead of Bitcoin, whose value has been surging, because the Monero mining algorithm is designed for ordinary computers, and therefore the potential pool of victims is much larger. Moreover, Monero transactions are even more anonymous than Bitcoin transactions because they use stealth addresses.