From Scripts to Systems: A Comprehensive Look at Tangerine Turkey Operations

Cybereason analyzed the 'Tangerine Turkey' campaign: a USB‑propagating VBScript worm that installs XMRig for unauthorized cryptocurrency mining. The actor abuses legitimate Windows binaries (wscript.exe, printui.exe), uses DLL sideloading, scheduled tasks and a malicious service for persistence, modifies Defender exclusions for defense evasion, and the report includes detailed TTPs, IOCs (file names and SHA256 hashes) and mitigations.