Azure app service is compromised. We can see inside our app service files there is a file called xmrig-6.24.0

Question

Azure app service is compromised. We can see inside our app service files there is a file called xmrig-6.24.0

Yale Farmer 56

As you can see in the image someone put an additional file xmrig-6.24.0

What is this file? How can we prevent attackers to not put such files? This is draining CPU of my app service. I have uploaded both the screenshots.

Golla Venkata Pavani 265 Reputation points Microsoft External Staff Moderator

2025-12-11T15:22:50.64+00:00
Hii @Yale Farmer,

Thank you for contacting us. We have reviewed your issue and found that your Azure App Service has been compromised, with an unauthorized file named xmrig‑6.24.0 added. Based on your screenshots, this file is causing high CPU usage and is consistent with crypto‑mining activity.

The file xmrig-6.24.0 is malware, specifically a widely‑used cryptocurrency mining tool ("XMRig") used by attackers to hijack compute resources.

Please follow the steps to remove XMRig Malware & Secure Azure App Service
Step 1: Stop and clean the App Service

Stop the App Service immediately to prevent further CPU drain.

Open the Kudu Console → Debug Console → CMD/PowerShell.

Delete the suspicious files (e.g., xmrig-6.24.0 folder/files).

Step 2 : Rotate All Credentials

Regenerate publishing profile

Azure Portal > App Service > Get Publish Profile > Reset

Reset deployment user credentials

Azure Portal > App Service > Deployment Center > User Credentials

Reset FTP / FTPS credentials

Portal > App Service > Deployment Center > FTP > Reset

Step 3 :
To safely redeploy after a compromise, delete the entire wwwroot folder from Kudu and then redeploy a clean build of your application using a trusted source such as GitHub Actions, Azure DevOps, or a ZIP package generated from a secure build machine.

You can securing your App Service by using below options:

Enable Azure Defender: Consider enabling Azure Defender for your App Service. This can help protect against a range of threats, including potential malware and unauthorized access. More information can be found.

Implement Application Gateway WAF: A Web Application Firewall (WAF) can provide an additional layer of security against web attacks.

Reference:
https://v4.hkg1.meaqua.org/en-us/azure/defender-for-cloud/defender-for-app-service-introduction#what-are-the-benefits-of-azure-defender-for-app-service
https://v4.hkg1.meaqua.org/en-us/azure/web-application-firewall/ag/application-gateway-crs-rulegroups-rules?tabs=drs21%2Cowasp32
Kindly let us know if the above comment helps or you need further assistance on this issue.

Please "upvote" if the information helped you. This will help us and others in the community as well.

Answer accepted by question author

0 additional answers

Your answer

Answer 1

TP 145.8K Volunteer Moderator

Hi,

Please see below Security Advisory:

Security Advisory: CVE-2025-66478

https://nextjs.org/blog/CVE-2025-66478

At minimum I suggest you stop your app (so that the cryptominer is no longer running). Update your clean source files so that known vulnerabilities are patched, test locally, deploy updated app, change any secret(s)/api keys/etc. that your app has access to. Make sure no malicious files remain.

You should assess all the potential effects of the malicious code having access to everything that your app has access to, and take steps to mitigate. Consider engaging cybersecurity specialist to provide analysis and detailed advice.

-TP

TP 145.8K Reputation points Volunteer Moderator

2025-12-12T15:10:56.3133333+00:00

@Yale Farmer Any update?
Yale Farmer 56 Reputation points

2025-12-13T16:29:05.48+00:00

patch fixed the issue, still i created a new app service + plan just be be sure

Share via

Azure app service is compromised. We can see inside our app service files there is a file called xmrig-6.24.0

0 additional answers

Your answer