The Tencent Yujian Threat Intelligence Center detected an increase in the amount of Lcy2Miner infection in the mining Trojan family, and engineers conducted a retrospective investigation of the infection of the virus. It was found that an attacker built multiple HFS servers to provide Trojan downloads and constructed IE vulnerability (CVE-2014-6332) attack code on their server web pages. When a vulnerable computer is tricked into accessing an attacking web page, it triggers a vulnerability to download the Timber Wolf Remote Control Trojan. Then, the remote control Trojan downloads the Monroe mining trojan and the "Eternal Blue" vulnerability attack module, and then uses the "Eternal Blue" vulnerability attack tool to spread the attack on the intranet. Finally, the attacker makes a profit by forming a botnet. Up to now, the gang has obtained 147 Monroe coins through mining, with a market value of about 65,000 yuan. The data shows that the Lcy2Miner mining trojan controlled by the gang has infected more than 20,000 computers, affecting many industries, and Internet services, wholesale and retail, and technology services are among the top three. From the distribution of virus-infected areas, Lcy2Miner mining horses are infected in most parts of the country, and the most severely affected areas are Beijing, Guangdong, Henan and other places.