Microsoft has continued its analysis of the LemonDuck coin-mining malware which has been crafted by some very determined, financially motivated cybercriminals. LemonDuck is known for installing crypto-miners in enterprise environments and has a well-stocked arsenal of hacking tools, tricks and exploits. Their goal is to have their malware retain exclusive access to a compromised network for as long as possible. The attackers try to own compromised networks by disabling anti-malware, removing rival malware, and even automatically patching vulnerabilities to keep rival attackers from feeding off its turf. This limits the visibility of the attack which makes it harder for the security operations center to detect on a device. They have previously used the bugs to install web shells on Microsoft Exchange servers for remote access to unpatched systems and to install additional LemonDuck malware. They did this while maintaining full access to compromised devices and limiting other actors from abusing the same Exchange vulnerabilities.