Cisco Talos has observed updated infrastructure and new components associated with the Lemon Duck cryptocurrency mining botnet that target unpatched Microsoft Exchange Servers and attempt to download and execute payloads for Cobalt Strike DNS beacons. The use of fake domains on East Asian top-level domains (TLDs) masks connections to the actual command and control (C2) infrastructure used in these campaigns. This activity reflects updated tactics, techniques, and procedures (TTPs) associated with this threat actor.”]
Source: https://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html