The analysts say that Dexphot usually hides itself within actual processes run by a system, as a way to disguise its own activities which include cryptocurrency mining and stealing digital assets. If the malware is found, any attempt to remove it still causes reinfection.
“The Dexphot attack used a variety of sophisticated methods to evade security solutions. Layers of obfuscation, encryption, and the use of randomized file names hid the installation process. Dexphot then used fileless techniques to run malicious code directly in memory, leaving only a few traces that can be used for forensics.”