A new group of hackers has been targeting vulnerable enterprise systems and using them to process privacy coin Monero. The group is believed to have been active since December 2019 and infected thousands of systems. Security researchers from U.S. cybersecurity firm Red Canary have been monitoring the group, which they referred to as Blue Mockingbird. According to the researchers, the hackers exploit public-facing web applications that depend on Telerik UI for ASP.NET, a framework used in web development. While it accelerates the web development process, it\u2019s prone to CVE-2019-18935 vulnerability. Once the hackers infiltrate the system, they deploy XMRIG, an open-source Monero processing tool that has proven a favorite for hackers. The malware executes a number of strategies to increase its reach and avoid removal. One of them is exploiting weakly-secured remote desktop protocol connections to spread internally. It also executes a malicious DLL that restores all items removed by a system\u2019s defenders. Red Canary claims that the malware is not fully defined, with the hackers still experimenting with a few tools to find the best ones. The company further revealed to ZDNet that it doesn\u2019t have a full overview of the malware\u2019s activities. \u201cLike any security company, we have limited visibility into the threat landscape and no way of accurately knowing the full scope of this threat. This threat, in particular, has affected a very small percentage of the organizations whose endpoints we monitor. However, we observed roughly 1,000 infections within those organizations, and over a short amount of time,\u201d the company stated. The researchers predict that the malware could end up infecting many other systems, especially since it targets vulnerable Telerik UI components. Many companies don\u2019t put measures in place to protect themselves from such an attack. In some cases, companies aren\u2019t even aware that their systems rely on Telerik UI components. Studies conducted by several global agencies, including the NSA show that Telerik UI vulnerabilities are among the most exploited by cybercriminals globally. Red Canary was able to identify two Monero addresses that the hackers use. However, due to the private nature of Monero, they couldn\u2019t establish how successful their campaign has been.