Cybersecurity Firm Discovers Stealth Monero Mining Campaign Infecting 3,500 Websites

Generated by AI AgentCoin World
Tuesday, Jul 22, 2025 12:51 pm ET2min read
Aime RobotAime Summary

- A cybersecurity firm uncovered a stealth Monero mining campaign infecting 3,500+ websites via covert JavaScript injections.

- Attackers use WebSocket traffic masking and CPU throttling to mine discreetly, avoiding detection through subtle resource exploitation.

- The malware leverages third-party script vulnerabilities, repurposing compromised servers as mining nodes without data theft or encryption.

- Experts warn of evolving cryptojacking tactics prioritizing scale over efficiency, urging website operators to audit scripts and monitor traffic anomalies.

A cybersecurity firm has revealed a large-scale campaign targeting over 3,500 websites with covert Monero mining scripts, leveraging stealth techniques to exploit users’ computing resources without their knowledge. The malware, detected by c/side, operates by injecting JavaScript code into compromised sites, such as files named “karma[.]js.” Unlike earlier cryptojacking tactics that caused noticeable device slowdowns, this iteration prioritizes subtlety, throttling CPU usage and masking traffic in WebSocket streams to avoid detection. The approach allows attackers to mine Monero discreetly, using a fraction of users’ processing power while maintaining a low profile.

The attack unfolds in stages, beginning with the injection of malicious scripts into website code. These scripts assess device capabilities—including WebAssembly support and browser features—to optimize resource allocation. Background processes are then established, enabling the malware to execute mining tasks silently. Communication with command-and-control servers occurs via WebSockets or HTTPS, allowing hackers to distribute mining instructions and collect results. Notably, the malware does not steal credentials or encrypt files, but it repurposes infected servers as unauthorized mining nodes, effectively monetizing unsuspecting visitors’ devices.

This resurgence of cryptojacking mirrors strategies from 2017, when browser-based mining services like Coinhive gained traction. However, the current variant reflects a strategic shift toward evasion. Early cryptojacking campaigns overwhelmed processors, prompting user complaints and ad-blocker adoption. The latest method, by contrast, distributes computational load more evenly, blending with legitimate traffic to avoid scrutiny. Analysts highlight that “throttling CPU usage and hiding traffic in WebSocket streams” are key to its stealth, ensuring prolonged undetected operation across a vast network of compromised sites.

The breach underscores vulnerabilities in web infrastructure, particularly the risks associated with third-party scripts. Websites often rely on external code for analytics or advertising, creating entry points for attackers. Once injected, the scripts exploit these channels to execute silently, shifting the burden of resource consumption from hackers to users. Affected individuals may notice subtle performance degradation or increased electricity costs, though the lack of overt malicious behavior makes detection challenging. For website operators, the incident highlights the need for rigorous script vetting and real-time monitoring to identify anomalous traffic patterns or unexpected CPU usage.

While Monero’s privacy-focused design makes it a favored choice for illicit mining, the low yield of distributed browser-based mining suggests attackers are prioritizing scale over efficiency. The compromise of over 3,500 sites indicates a coordinated effort, though the fragmented nature of modern cyber threats complicates attribution. Analysts caution that the same infrastructure could theoretically be repurposed for data exfiltration, though no evidence of this has been confirmed. The campaign reflects a broader trend of cybercriminals adapting to regulatory and technical countermeasures by shifting toward less disruptive but equally profitable tactics.

Experts recommend that website administrators implement strict content security policies and audit third-party code regularly. Automated tools can help detect irregularities in traffic or CPU activity, but attackers are increasingly sophisticated in evading such measures. The incident serves as a reminder that even seemingly legitimate websites can become conduits for resource exploitation, emphasizing the need for transparency and accountability in digital ecosystems. As cryptojacking tactics continue to evolve, proactive defense remains critical to mitigating the risks of covert mining operations.

Comments



Add a public comment...
No comments

No comments yet