Recently, a large organization with many locations decided to take us up on our free 30-day trial to see if we would find anything their current cybersecurity stack missed. While they were interested in our Managed Detection and Response (MDR) service, they didn’t expect us to find anything.

The plan was to install our agent on various systems in multiple locations during the trial period to confirm the ease of deployment and evaluate our services. Within hours, we discovered the ‘Lemon Duck’ crypto mining software.

LemonDuck attack chain

LemonDuck attack chain from the Duck and Cat infrastructures (Source: Microsoft Corporation)


As they onboarded additional computers and servers, we found more and more instances of Lemon Duck. It had disabled their anti-virus, bypassed their other cybersecurity solutions, and spread through their network to infect about 25% of their devices.

We believe the infection started at least two years prior. While we can’t prove when this all started exactly, some URLs referenced in the malicious code matched a two-year-old campaign by Lemon Duck, giving us an approximate timeline.

This is the business equivalent of going to the doctor for a routine checkup and finding out you have cancer.

It’s not uncommon for us to find red flags within the first week, once we monitor a significant number of user devices. Thankfully, it’s not usually this severe. We frequently find misconfigurations, PUPs, software versioning issues, and policy violations (lots of folks are playing games on corporate devices!).

But unfortunately, sometimes we do find much bigger problems.

In addition to stealing credentials, removing security controls, and spreading across a network, Lemon Duck will also slow down computers and increase electricity costs. At that level of infection, anything could have been done, including selling access to the highest ransomware bidder.

We get it. No one likes going to the doctor.

But the longer you put it off, the higher the odds that there will be something wrong. And the harder it will be to fix.


CYDEF’s Unique Approach to Cybersecurity

Our patented SMART-Monitor technology and managed services finds things our competitors don’t because we have a truly unique approach to finding anomalies.

We’re not dependent on any knowledge of existing threats. And we’re not trying to predict what cyber criminals will do next.

We collect essential information about what’s happening on your laptops, workstations, and servers (“endpoints”), and send the data to our cloud for processing.

We then confirm if the activity is expected and authorized in a business environment. All new or unexpected activities are investigated by our analysts and classified as either malicious or approved.

There’s no guessing. It’s either safe or it needs investigating. We leave no stone unturned.

You need someone you trust on your side

We are dedicated to defending your business, and to do so we not only monitor for security issues, but also for operational issues that could impact our service. We ensure our agent functions as designed and we perform maintenance and updates as needed. When’s the last time your team had the time to look at their management consoles to see if everything’s OK?

Not sure how your business is doing?

Take us up on our 30-day free trial by answering a few questions on our sign-up page.  Install our software on as many endpoints as you like. There’s no commitment on your end — we don’t even require a credit card.

Stop wondering about what might have infiltrated your system and sign up for your free trial today!