Hackers infected over 3500 sites with a hidden Monero miner.

Malicious actors have infected over 3500 websites with scripts for covert cryptocurrency mining. This was reported by the cybersecurity company c/side.

The malware does not steal passwords or block files. Instead, it uses a small portion of computing power without users' consent to mine Monero. The miner avoids suspicious CPU load, making it difficult to detect.

"Thanks to the limitation of CPU usage and traffic obfuscation through WebSocket connections, this script avoids the typical signs of traditional cryptojacking," analysts noted.

Cryptojacking is the unauthorized use of someone else's devices to mine digital assets, typically without the owners' knowledge. This tactic emerged in 2017 with the launch of the Coinhive service. It was shut down in 2019. At that time, data on the prevalence of such malware was contradictory: some sources reported a decrease in activity, while other laboratories recorded a 29% increase.

"Attacks have become more complex, attacks have become more sophisticated"

After five years, cryptojacking has returned, but in a more stealthy form. Previously, scripts would overload processors and slow down devices. Now the main strategy of the malware is to remain unnoticed and mine slowly, avoiding suspicion, noted an anonymous cybersecurity expert in a comment to Decrypt.

Analysts from c/side outlined the main stages of the attack:

• the introduction of a malicious script — a JavaScript file is added to the website code (, for example, karma[.]js), which initiates mining;
• checking WebAssembly support, device type, and browser capabilities for load optimization;
• creating background processes;
• connection to the management server — through WebSockets or HTTPS the script receives mining tasks and sends the results to the C2 server — the hackers' command center.

Malware is not aimed at stealing cryptocurrency wallets. However, technically hackers can exploit such a function. At risk are server and web application owners whose sites become a platform for mining.

On June 12, Kaspersky Lab specialists reported a new wave of hidden mining in Russia. The hacker group Librarian Ghouls, also known as Rare Werewolf, hacked hundreds of Russian devices.