Shutdown Timer CryptoMiner outbreaks and infects over 200,000 within a week

Jun 6, 2018360TS
Learn more about 360 Total Security

[Tips: Install 360 Total Security to prevent CryptoMiner attacks]

Recently, 360 Security Center discovered a new CryptoMiner Trojan that infected handreds of thousands of computers in one week. This Trojan is installed with various tools like software cracks or plugins, infects user’s computer and installs an unwanted program called Shutdown Timer. Shutdown Timer runs a service which will silently install mining components. We named it “ShutdownTimerBundlerMiner”.


The Trojan is bundled with various software cracks or plugins to infect victims‘ computers. The plugins promote Shutdown Timer installation. The website is and timer-latest.exe will be downloaded.

The program will install %userprofile%\appdata\roaming\software updater\softwareupdater.exe as a system service. The service runs while system starts up and starts a timer by a C# script with parameters.

The code of the timer.

The timer triggers the execution.

It will send requests to server and decide the behavior by responses.

The commands supported by the script:

The “File” command will update mining modules.

The address of the miner is

The address of miner module is
The module will be registered as a service and will start mining when system starts up. The mining pool address will be written in a configuration file.

Until now, only two antiviruses including 360 Total Security are able to detect these kind of Trojans.


Recently, we have found that a lot of CryptoMiner Trojans are actively spreading in the wild. We strongly recommend users to enable antivirus software while installing new applications. Users are also recommended to run virus scan with 360 Total Security to avoid falling victim to CryptoMiner.

Download 360 Total Security:

Learn more about 360 Total Security