Crypto miners have been present in the threat landscape for some years, since an attacker identified the opportunity of leveraging victim’s CPUs to mine cryptocurrencies for them. Despite the current rough patch in the world of cryptocurrencies, these miners are still present and will be in the foreseeable future.
Attackers have been sending malicious attachments, with a special emphasis on Mexican institutions and citizens. A new miner sample showed up in April on AT&T Alien Labs radar, with a wide range of different loaders aiming to execute it in infected systems up to this day. The loaders were initially delivered to the victims through an executable disguised like a spreadsheet. The techniques used by these malware samples are usually focused on reaching execution, avoiding detection to run under the radar and gaining persistence to survive any reboot.
https://cybersecurity.att.com/blogs/labs-research/crypto-miners-latest-techniques