A first-stage malware loader spotted in active campaigns has added additional exploits and a new backdoor capability. A new version of a known malware campaign aimed at installing cryptominers has changed up its tactics, adding attacks on Windows servers and a new pool of exploits to its bag of tricks. It is also swiftly evolving to position itself as a backdoor for downloading future, more damaging malware, researchers said. The malware itself was first uncovered about a year ago, and is a loader that spreads as a worm, searching and infecting other vulnerable machines. Once it infects a machine, it fetches the XMRig cryptomining payload, which mines for Monero.