In brief
- At least 3,500 websites are running a hidden Monero mining script delivered through a malicious injection chain.
- Attackers reused access from past campaigns, targeting unpatched sites and e-commerce servers.
- The malware keeps a low profile, limiting resource use to avoid triggering suspicion or security scans.
Hackers have infected more than 3,500 websites with stealthy cryptomining scripts that quietly hijack visitors’ browsers to generate Monero, a privacy-focused crypto designed to make transactions more difficult to trace.
The malware doesn’t steal passwords or lock files. Instead, it quietly turns visitors’ browsers into Monero mining engines, siphoning small amounts of processing power without user consent.
The campaign, still active as of this writing, was first uncovered by researchers at cybersecurity firm c/side.
“By throttling CPU usage and hiding traffic in WebSocket streams, it avoided the telltale signs of traditional crypto jacking,” c/side disclosed Friday.
Crypto jacking, sometimes spelled as one word, is the unauthorized use of someone’s device to mine crypto, typically without the owner’s knowledge.
The tactic first gained mainstream attention in late 2017 with the rise of Coinhive, a now-defunct service that briefly dominated the cryptojacking scene before being shut down in 2019.
In the same year, reports on its prevalence have become conflicting, with some telling Decrypt it hasn’t returned to “previous levels” even as some threat research labs confirmed a 29% rise at the time.
‘Stay low, mine slow’
Over half a decade later, the tactic appears to be staging a quiet comeback: reconfiguring itself from noisy, CPU-choking scripts into low-profile miners built for stealth and persistence.
Rather than burning out devices, today’s campaigns spread quietly across thousands of sites, following a new playbook that, as c/side puts it, aims to “stay low, mine slow.”
That shift in strategy is no accident, according to an information security researcher familiar with the campaign who spoke to Decrypt on condition of anonymity.
The group appears to be reusing old infrastructure to prioritize long-term access and passive income, Decrypt was told.
“These groups most likely already control thousands of hacked WordPress sites and e-commerce stores from past Magecart campaigns,” the researcher told Decrypt.
Magecart campaigns are attacks where hackers inject malicious code into online checkout pages to steal payment information.
“Planting the miner was trivial, they simply added one more script to load the obfuscated JS, repurposing existing access,” the researcher said.
But what stands out, the researcher said, is how quietly the campaign operates, making it hard to detect with older methods.
“One way past cryptojacking scripts were detected was by their high CPU usage,” Decrypt was told. “This new wave avoids that by using throttled WebAssembly miners that stay under the radar, capping CPU usage and communicating over WebSockets.”
WebAssembly enables code to run faster inside a browser, while WebSockets maintain a constant connection to a server. Combined, these enable a crypto miner to work without drawing attention.
The risk isn’t “directly targeting crypto users, since the script doesn’t drain wallets, although technically, they could add a wallet drainer to the payload,” the anonymous researcher told Decrypt. “The real target is server and web app owners,” they added.
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.
