Threat Watch

A One-Year Study of Dexphot’s Techniques to Evade Detection

In October of 2018, Microsoft detected a new threat attempting to deploy files on thousands of devices that could change every 20-30 minutes. Dexphot, as Microsoft called it, used a variety of methods to evade detection including obfuscation, encryption and randomized file names upon installation. It even used some “fileless” techniques to run code directly from memory while injecting into legitimate processes on the victim machine. Dexphot’s end goal was to abuse victim computers’ CPU resources to mine cryptocurrency.  Dexphot used services and scheduled tasks to monitor itself so it could be restarted if anything attempted to stop or remove it. At its peak in June 2019, Dexphot was running on almost 80,000 devices.


Businesses should keep their Anti-Virus (AV) solutions up to date to catch threats like these and complement it with an Endpoint Detection and Response (EDR) solution. Security works best in layers and an anti-virus solution is only the first step in protecting a workstation. Cryptocurrency miners often use a large number of resources on the machine for extended periods of time. Monitoring resource usage on an endpoint can be a great first clue that something may be wrong.