According to the Tencent Yujian Threat Intelligence Center, some users reported that a large number of machines inside the company were inexplicably created by users with the account name "mm123$". After collecting evidence on the spot and traceability of big data, it was confirmed as a new variant of NSABuffMiner. This variant has become a mining botnet, and the amount of infection of the mining Trojan has continued to grow through Tencent Antu. The virus's parent icon and file information are disguised as "a security software protection center module" in order to escape manual killing. After the virus runs, it will upload system related information and occupy part of the system resources for mining. Some resources are used to spread attacks to the intranet and the external network at the same time. After the attack is successful, the compromised machine becomes a "broiler" to perform the above malicious behavior, and the loop is repeated.