On April 17, Tencent Yuwen issued a statement saying that Tencent Security Yuzhi Threat Intelligence Center detected the Eternal Blue Downloader Trojan updated again on April 16. After the update, the new C2 domain name is enabled. After installing the scheduled task on the infected computer, the door continues to pull the malicious code to execute, and the Powershell attack module is downloaded through the new domain name to move laterally, upload the target information of the successful attack to the server, and download the mining. The module conducts mining of Monroe coins in a “fileless” manner. After the latest version of the virus is infected, two scheduled task backdoors are installed on the machine to continuously pull malicious code from the server.