Attackers have infected more than 3,500 websites with scripts for hidden cryptocurrency mining, cybersecurity company c/side reported.
The malware does not steal passwords or lock files. Instead, it uses a small portion of users’ computing power without their consent to mine Monero. The miner avoids suspicious, CPU-intensive payloads, so it is difficult to detect.
“By throttling CPU usage and hiding traffic in WebSocket streams, it avoided the telltale signs of traditional crypto jacking,” the analysts noted.
Cryptojacking is the unauthorized use of other people's devices to mine digital assets, usually without the owners’ knowledge. The tactic emerged in 2017 with the launch of the Coinhive service, which was shut down in 2019. At the time, data on the prevalence of such malware was contradictory: some sources reported that activity had decreased, but other labs recorded an increase of 29%.
Five years later, cryptojacking is back, but in a more covert form. Previously, scripts overloaded processors and slowed down devices. Now, malware mainly aims to remain unnoticed and mine slowly, without raising suspicion, an anonymous cybersecurity expert noted in a comment to Decrypt.
Analysts at c/side described the main stages of the attack:
Malicious script injection: A JavaScript file (for example, karma[.]js) is added to the website code, which launches mining.
Capability checks: The script checks for WebAssembly support, device type, and browser capabilities to optimize the load.
Creation of background processes.
Communication with the control server: Via WebSockets or HTTPS, the script receives mining tasks and sends the results to the C2 server—the hackers' command center.
The malware is not designed to steal crypto wallets; however, hackers could technically add this capability. Owners of servers and web applications whose sites are compromised become platforms for unauthorized mining.
