DarthMiner is a combination of EmPyre, a post exploitation backdoor, and XMRig cryptominer. The malware is distributed as a fake “Adobe Zii” application.

Source: Malwarebytes

When executed, the malware will execute a shell command that will download and execute additional files. As result, EmPyre and XMRig are installed on the infected system.

Source: CheckPoint

The malware will also create the LaunchAgent “com.apple.rig.plist” so the XMRig will start automatically on system boot.

Source: CheckPoint