Three malware families are found exploiting XMRig miner for monetary gain. The first malware family discussed is dubbed “ransominer” due to its combined use of ransomware and crypto-mining. The infection chain involves a common Trojan installed on a victim’s machine with the purpose of installing administration programs, adding a new user, and opening RDP access. A ransomware payload is then executed, followed by the XMRig loader; at the same time the user is seeing the ransom note while Monero mining is being performed in the background. The second family discussed is the Prometei backdoor. After a few years in operation, it expanded its capabilities by also distributing XMRig. After brute-forcing MS SQL credentials and gaining access, PowerShell scripts are run and privileges are elevated. Purple Fox and Prometei are both installed on the host. Lastly, the XMRig miner is downloaded from the C2 server and executed. The third family is the Cliptomaner miner. This malware is similar to the other families but has the added functionality of replacing crypto-wallet addresses in the clipboard. Additionally, instead of being written in a compiled language, it is fully written in AutoIT.