Stealthy Cyberattacks Infect Thousands with Monero Mining Script
Key Findings
- At least 3,500 websites are running hidden Monero mining scripts delivered via malicious injection.
- Attackers reused compromised infrastructure from previous campaigns, specifically targeting unpatched sites.
- The mining malware operates with extreme low profiles, throttling CPU usage and using WebSockets to avoid detection.
An Unseen Crypto Goldmine
The ongoing campaign, discovered by cybersecurity firm c/side, has weaponized compromised websites to mine the privacy-centric cryptocurrency Monero.
Unlike typical malware seeking financial data theft, this threat quietly converts visitors’ browsing sessions into Monero mining operations, pilfering minimal CPU resources unbeknownst to users or web administrators.
“By throttling CPU usage and hiding traffic in WebSocket streams, it avoided the telltale signs of traditional crypto jacking,” reported c/side.
*[Crypto jacking involves unauthorized use of someone’s device for mining crypto without their knowledge.]
Back to Basics
Six years after its initial surge, crypto jacking is staging a quiet comeback. Modern variations have evolved from resource-intensive, easily detectable scripts to low-profile operations designed for stealth and longevity.
As c/side observed, the new wave prioritizes “stay low, mine slow,” making detection significantly harder. The technical foundation includes WebAssembly for near-native performance within browsers, coupled with WebSockets for discreet ongoing communication.
Old Wounds, New Toil
The method chosen for deployment points towards actors already familiar with web vulnerabilities.
“These groups most likely already control thousands of hacked WordPress sites and e-commerce stores from past Magecart campaigns,” a researcher told Decrypt.
“Planting the miner was trivial, they simply added one more script to load the obfuscated JS, repurposing existing access,” explained the anonymous information security expert.
*[Magecart attacks involve injecting malicious code into online checkout pages for payment data theft.]
The Stealth Factor
The groundbreaking aspect lies not just in scale, but in the methodology.
Older cryptojacking alerts often sounded alarms through sheer, suspicious CPU consumption. This new threat counters that by using throttled WebAssembly miners kept below the threshold of standard monitoring systems.
The targeted yield pushes away concerns about directly draining crypto wallets. The core objective appears to be the passive, long-term extraction of computational resources from web servers and site visitors.
“The real target is server and web app owners,” the researcher elaborated. “Not individual crypto enthusiasts.”
This sophisticated iteration marks a shift from fleeting, short-term gains to established, low-risk operation, highlighting the developers’ focus on persistence over abrupt device sabotage.
