A security company has discovered a new breed of cryptojacking malware, used to secretly mine cryptocurrency on unwilling victims’ computers. Varonis Security Research came across it after being called to investigate a company that suspected it had been hacked. It then named the delinquent software Norman.

Norman mines Monero, a privacy-focused coin. It’s a popular coin to hack because crypto-sleuths can’t trace the money back to the people that stole it–thanks to its enhanced privacy features. As a result, Norman had been working quietly without anyone noticing for a year. 

“Almost every server and workstation was infected with malware,” Varonis wrote in a press release yesterday. 

Norman was equipped with advanced technology that enabled it to stay under the radar, helping the hacker to successfully infiltrate the entire company. Varonis didn’t say how much the hacker made from the heist.


Varonis guesses the initial infection, which took place over a year ago, might have originated from a French-speaking country. Some variables and functions in the code were in French, and the self-executing malware file had French comments.

Upon closer inspection, Norman is an XMRig-based cryptominer, something we’ve noticed previously has grown in popularity among the crypto-jacking community. In the first half of this year, a report from cybersecurity company Check Point said that XMRig-based crypto-miners have infected 6.3 percent of organizations worldwide. 

However, Check Point also reported that malicious crypto-miners are in decline overall, which is probably due to the closing of crypto-jacking service Coinhive back in March–leaving the throne empty for a new cryptojacking contender. Over to you, Norman. 

Stay on top of crypto news, get daily updates in your inbox.