Cryptocurrency mining botnet malware Smominru has infected more than 526,000 computers using a leaked NSA exploit, The Hacker News reported yesterday, Jan. 31.

Software security researchers from cybersecurity company Proofpoint have detected a new global botnet called Smominru, also known as Ismo, that uses a National Security Agency (NSA) exploit EternalBlue to spread Monero mining malware.

The EternalBlue exploit was leaked by the so-called Shadow Brokers hackers who were reportedly also behind the 2017 widespread WannaCry ransomware threat, according to The Hacker News.

Proofpoint reported that the Smominru botnet has been infecting computers since May 2017, mining about 24 Monero coins per day. To date, the botnet has reportedly managed to mine about 8,900 Monero, or about $2.1 million at press time. The highest number of Smominru-infected PCs has been found in Russia, India, and Taiwan, researchers said.

According to Proofpoint, cybercriminals are targeting vulnerable version of Windows, also using a leaked NSA protocol exploit called EsteemAudit.

According to thehackernews.com, the experts also notified DDoS protection service SharkTech where Smominru’s command and control infrastructure has been detected, however, they didn’t get a response.

As Cointelegraph reported Jan. 28, a massive Monero-mining malware attack via online ads, mostly attributed to the controversial cryptocurrency mining and advertising platform Coinhive, has affected a huge number of users and online businesses worldwide, including Youtube.