A cryptomining botnet that has been active since 2019 has added a likely AI-generated ransomware to its operations. New analysis by FortiCNAPP team, part of FortiGuard Labs, has identified the first incident of an overlap between H2miner and Lcryx ransomware.
The investigation was conducted after discovering a cluster of virtual private servers (VPS) used for mining Monero, a type of cryptocurrency. During this analysis, samples associated with prior H2miner campaigns that were documented in 2020 but have since been updated with new configurations were uncovered.
The FortiCNAPP team also identified a new variant of the Lcryx ransomware, dubbed “Lcrypt0rx.” Lcryx is a VBScript-based ransomware strain first observed in November 2024. This new variant introduces distinct techniques for degrading system usability, UI interference and redundant embedded scripts.
FortiCNAPP said that the ransomware family exhibits several unusual characteristics that suggest it may have been generated using AI. The team observed the growing adoption of large language models (LLMs) by threat actors in recent years, leading to critical flaws and illogical behavior within the script.
Multiple functions are repeated throughout the script with no clear reason, suggesting automated code generation without optimization. There is also evidence of flawed encryption logic, redundant object creation and malformed syntax within the ransomware. The script also conducts illogical behaviors like attempting to open encrypted files in Notepad, which has no practical function and makes no operational sense.
Even the ransom note URL has errors. The .onion address in the ransom note (http://lcryptordecrypt7xfzq5tclm9jzpwq72uofgy2znkdsxm54zbcu2yid[.]onion) does not conform to valid TOR address specifications. It may have been a placeholder during a transition from v2 to v3 onion services. Antivirus disabling functionality is also shown to be ineffective, as the methods to disable Bitdefender and Kaspersky antivirus products are incorrect and are likely LLM hallucinations.
The operational overlap between H2miner and Lcryx could indicate collaboration between the operators to maximize financial gain. However, there are other possibilities for the joining of force. First, H2miner operators could also have developed Lcrypt0rx to increase profits. Alternatively, H2miner operators could be reusing Lcrypt0rx to conduct mining operations while shifting the blame.
The FortiCNAPP team concluded: “The campaign reflects a broader trend: the commodification of cybercrime, where access to prebuilt tools, LLM-generated code, and cheap infrastructure lowers the barrier to entry, enabling even low-skill actors to launch high-impact campaigns.”