Discovered on January 8, there's a new version of Satori malware that is aimed at attacking cryptocurrency mining computers and replaces the user's wallet address with one from the attacker, stealing newly minted coins.
According to the report, the user won't know unless they spend time investigating their configuration.

It's not clear precisely how the new variant is infecting mining computers. At least one vulnerability has been reported in the Claymore Mining software, along with a corresponding vulnerability. Wednesday's post said Satori isn't exploiting it. Instead, Wednesday's post said Satori "works primarily on the Claymore Mining equipment that allows management actions on 3333 ports with no password authentication enabled (which is the default config)." New Botnet Infecting Cryptocurrency Mining Computers [arstechnica.com]