The Lemon Duck cryptocurrency-mining botnet was seen behind a spike of April attacks exploiting the Microsoft Exchange server ProxyLogon flaw.