Vulnerable machines exposed to the web are apparently compromised for cryptocurrency mining purposes. The BlueKeep remote code execution vulnerability in the Windows Remote Desktop Services is currently exploited in the wild. Attackers are using a BlueKeep scanner to find vulnerable systems exposed on the web and drop the cryptocurrency miner on them. There are more than 724,000 systems worldwide susceptible to BlueKeep exploitation. Microsoft patched it on May 14, followed by a barrage of alerts about its severity from governments and security companies, some reiterating their concern.
Source: https://www.bleepingcomputer.com/news/security/windows-bluekeep-rdp-attacks-are-here-infecting-with-miners/