Cryptojacking Campaign Compromises 3,500 Websites With Stealthy Monero Mining Script

Generated by AI AgentCoin World
Tuesday, Jul 22, 2025 6:11 am ET1min read
Aime RobotAime Summary

- A security report reveals 3,500+ websites infected with stealthy Monero mining scripts via cryptojacking campaigns.

- Attackers evade detection by throttling CPU usage and disguising traffic through WebSocket streams.

- Hackers repurpose Magecart infrastructure to target unpatched sites, prioritizing long-term passive income over immediate theft.

- Server owners—not users—are primary victims, as malware remains undetected by capping resource consumption.

- The "stay low, mine slow" strategy highlights evolving cybercriminal tactics requiring stronger security defenses.

At least 3,500 websites have been compromised by a malicious injection of a hidden Monero mining script, according to a recent security report. This ongoing cryptojacking campaign was first identified by researchers at a cybersecurity firm, who noted that the malware operates stealthily by limiting its resource usage to avoid detection by security scans and suspicious activity alerts. Unlike traditional malware that steals passwords or locks files, this script hijacks visitors' browsers to mine Monero, a privacy-focused cryptocurrency designed to obscure transaction trails.

The campaign employs a sophisticated strategy to evade detection. By throttling CPU usage and disguising traffic within WebSocket streams, the malware avoids the typical signs of cryptojacking. This approach allows it to operate under the radar, making it difficult to detect with older security methods. The tactic of cryptojacking, which involves the unauthorized use of someone's device to mine cryptocurrency, gained prominence in late 2017 with the rise of Coinhive. Although Coinhive was shut down in 2019, the practice has resurfaced with new techniques aimed at long-term access and passive income.

The group behind this campaign appears to be reusing old infrastructure from past Magecart attacks, where hackers inject malicious code into online checkout pages to steal payment information. By repurposing existing access, the attackers have been able to plant the miner script with minimal effort. The malware targets unpatched sites and e-commerce servers, exploiting vulnerabilities to spread across thousands of websites. This new wave of cryptojacking is characterized by its low-profile operation, making it hard to detect with traditional methods.

The risk posed by this campaign is not directly to crypto users, as the script does not drain wallets. However, the real target is server and web app owners, who may be unaware of the unauthorized mining activity on their platforms. The malware's ability to stay under the radar by capping CPU usage and communicating over WebSockets enables it to work without drawing attention. This stealthy approach is a significant shift from the noisy, CPU-choking scripts of the past, which were easier to detect due to their high resource consumption.

The campaign's strategy of "stay low, mine slow" aims to prioritize long-term access and passive income. By reusing old infrastructure and targeting unpatched sites, the attackers have been able to spread the malware across a large number of websites. This new playbook for cryptojacking highlights the evolving tactics of cybercriminals, who are constantly adapting their methods to evade detection and maximize their gains. As the threat landscape continues to evolve, it is crucial for website owners and security professionals to stay vigilant and implement robust security measures to protect against such attacks.

author avatar
Coin World

Quickly understand the history and background of various well-known coins

Latest Articles

Stay ahead of the market.

Get curated U.S. market news, insights and key dates delivered to your inbox.

Comments



Add a public comment...
No comments

No comments yet