DarthMiner is a combination of EmPyre, a post exploitation backdoor, and XMRig cryptominer. The malware is distributed as a fake “Adobe Zii” application.
When executed, the malware will execute a shell command that will download and execute additional files. As result, EmPyre and XMRig are installed on the infected system.
The malware will also create the LaunchAgent “com.apple.rig.plist” so the XMRig will start automatically on system boot.