On the radar: Weeding out XMRig

**TL;DR** Attackers are deploying the XMRig Monero miner across endpoints, cloud instances, and Kubernetes using varied access methods—including CVE-2025-55182 and CVE-2025-66478, compromised credentials, SSH brute force, and commodity malware—and the report outlines detection signals (mining-pool connections, unusual encrypted traffic, sustained high CPU, unexpected scheduled tasks/cron jobs/startup items) and mitigation recommendations (pod security policies, AWS GuardDuty, runtime monitoring).