vega-cryptojacking — dev server XMRig miner
Vega Cloud Hosting dev server vega-dev-01 spiked to 98% CPU after a compromised npm postinstall dropped XMRig with svchost-spawned PowerShell persistence. Stratum traffic to 198.51.100.77:3333 every ~60s plus pool DNS lookups. Fully synthetic.
what this proves
- all eight cryptojacking primary engines produce deterministic, fixture-locked output — verified by
npm run check:flagship(280/280 fleet · 8 for this scenario). - every output is generated 100% locally in your browser — export memory dumps and logs, never upload host data.
- svchost → powershell → xmrig process chain, in-memory XMRig config, stratum beacon to 198.51.100.77:3333, and pool DNS lookups surface without sending evidence to a server.
primary engines locked to this fixture
build the case binder
runs all eight primary engines on the synthetic evidence zip and opens a self-contained html binder. uses the default binder renderer for cryptojacking — no upload.
runs all 8 primary engines locally on the synthetic evidence zip · opens a self-contained html binder · no upload
download the synthetic evidence
MIT-licensed, fully synthetic. includes memory dumps with EPROCESS tags, carved miner artifacts, pool beacon flows, firewall connection log, and DNS resolver log.
built deterministically from scripts/fixtures/build-vega-cryptojacking.mjs. seed: vega-cryptojacking:v1.
methodology
process tree first — svchost → powershell → xmrig is the tell. then memory carve, entropy, in-memory config, and stratum beaconing before reboot destroys the only copy of the miner. read the full cryptojacking guide →
after the playbook
run each primary locally — or export findings from the binder — then drop every csv/json into fatcousin-multi-tool-super-timeline-correlator. one timestamp-sorted timeline across svchost spawn chain, xmrig memory carve, entropy spikes, and stratum beaconing — still zero upload.