CoinMiner is a cryptominer targeting macOS, first discovered in 2018. CoinMiner is a family of macOS cryptocurrency mining malware that secretly uses the victim's CPU and GPU resources to mine cryptocurrency — typically Monero (XMR) — for the attacker's wallet. Variants have been distributed through pirated software including cracked versions of Ableton Live, Adobe Creative Suite, and Microsoft Office for Mac. Some versions like LoudMiner install a Linux virtual machine via QEMU or VirtualBox to run the miner, making detection harder. Infected Macs experience severe performance degradation, overheating, excessive fan noise, and dramatically reduced battery life. CoreLock detects this threat using CoreLock detects CoinMiner variants through CPU usage anomaly detection that identifies sustained high-utilization patterns characteristic of mining operations, process behavioral analysis flagging known mining algorithms and pool connections, YARA rules matching XMRig and other popular mining binaries, and network monitoring for connections to known cryptocurrency mining pool servers.
Also known as: OSX.CoinMiner, Bird Miner, LoudMiner, CreativeUpdate
CoinMiner is a family of macOS cryptocurrency mining malware that secretly uses the victim's CPU and GPU resources to mine cryptocurrency — typically Monero (XMR) — for the attacker's wallet. Variants have been distributed through pirated software including cracked versions of Ableton Live, Adobe Creative Suite, and Microsoft Office for Mac. Some versions like LoudMiner install a Linux virtual machine via QEMU or VirtualBox to run the miner, making detection harder. Infected Macs experience severe performance degradation, overheating, excessive fan noise, and dramatically reduced battery life.
Pirated and cracked versions of expensive software like Ableton Live, Logic Pro, Adobe CC, and Final Cut Pro distributed via torrent sites
Trojanized free utilities and media converters on unofficial download sites
Compromised WordPress plugins and websites serving drive-by mining scripts
Fake cryptocurrency trading or wallet applications targeting crypto enthusiasts
Mac fans running at maximum speed and system running extremely hot even when idle or performing light tasks
Significant CPU usage (80-100%) visible in Activity Monitor from processes with random names or names mimicking system services
Battery draining much faster than normal on MacBook models — often 2-3x faster
Sluggish system performance with applications taking much longer to open and respond
Open Activity Monitor and sort by CPU usage. Mining processes typically consume 70-100% CPU. Look for processes with random names, names like 'xmrig' or 'minergate', or processes running under a Linux VM (qemu-system-x86_64 or VBoxHeadless).
Select the mining process in Activity Monitor and Force Quit it. If a VM-based miner, also quit qemu or VirtualBox. Delete the miner binary — common locations include ~/Library/Application Support/, /usr/local/bin/, and /tmp/. For LoudMiner: rm -rf ~/Library/Application\ Support/com.apple.bird/
Check and remove mining LaunchAgents: ls ~/Library/LaunchAgents/ and delete suspicious plists. Also check /Library/LaunchDaemons/, ~/Library/LaunchDaemons/, and crontab entries with crontab -l. Remove any cron entries you did not create.
Delete the pirated or cracked application that delivered the miner from /Applications/ and ~/Downloads/. If you need the software, purchase a legitimate license or find a free alternative.
Some miners run inside a hidden Linux VM. Check for QEMU or VirtualBox installations you did not install: ls /usr/local/bin/qemu* and check /Applications/ for VirtualBox. Remove any unauthorized virtualization software.
Run a full CoreLock scan to detect any remaining mining components, hidden persistence mechanisms, or secondary payloads. CoreLock monitors CPU usage patterns to identify cryptomining activity.
Never download pirated or cracked software — cryptominers are among the most common payloads bundled with Mac piracy
Monitor CPU usage regularly using Activity Monitor or CoreLock to catch miners early
Be suspicious of free versions of expensive professional software from unofficial sources
Use CoreLock to detect anomalous sustained CPU usage patterns characteristic of cryptocurrency mining
Real-time Detection
CoreLock detects CoinMiner variants through CPU usage anomaly detection that identifies sustained high-utilization patterns characteristic of mining operations, process behavioral analysis flagging known mining algorithms and pool connections, YARA rules matching XMRig and other popular mining binaries, and network monitoring for connections to known cryptocurrency mining pool servers.
Check which apps have camera access on your Mac and revoke access you didn't approve.
Check which apps have microphone access on your Mac and revoke access you didn't approve.
Check which apps have screen recording on your Mac and revoke access you didn't approve.
The most obvious signs are your Mac's fans running at full speed even when idle, extreme heat, rapid battery drain on laptops, and severely degraded performance. Open Activity Monitor and sort by CPU — if a process you don't recognize is consistently using 70-100% CPU, your Mac may have a cryptominer. CoreLock can specifically detect mining behavior patterns and alert you automatically.
Prolonged mining at maximum CPU/GPU load can cause accelerated wear on your Mac's components. Sustained high temperatures can degrade the thermal paste, stress the battery (significantly reducing its lifespan on MacBooks), and in extreme cases cause thermal throttling or hardware damage. The electricity cost of running a miner also far exceeds any cryptocurrency the attacker earns from your machine.
Mac users are targeted because Macs have powerful processors (especially Apple Silicon M-series chips), tend to be left running for long periods, and Mac users historically have had less exposure to malware — making them less suspicious of infections. The mining malware is often bundled with pirated creative software (Ableton, Adobe CC, Final Cut Pro) specifically because Mac users disproportionately use these applications.
VM-based miners like LoudMiner run inside a hidden QEMU or VirtualBox Linux instance. In Activity Monitor, look for qemu-system-x86_64 or VBoxHeadless processes. Force quit them, then remove the VM files from ~/Library/Application Support/ and any QEMU/VirtualBox installations you did not authorize. Delete the associated LaunchAgent plists and the pirated application that installed the VM. Run a CoreLock scan to verify complete removal.
Download CoreLock to detect and remove CoinMiner and other macOS threats. AI-powered analysis, real-time monitoring, and one-click remediation.
Download CoreLock FreeAvailable for macOS and Windows