Hackers embedded a hidden Monero miner in more than 3,500 websites

The company c/side discovered hidden malicious script activity on more than 3,500 websites. These scripts use users’ computing resources without their knowledge to mine Monero, an anonymity-oriented cryptocurrency. The malware minimizes CPU load and masks traffic via WebSocket, making it difficult to detect by traditional means.

Analysts clarified that miners do not steal data or encrypt files, but only load processors for profit. Such a strategy is known as cryptojacking. The technology became widespread in 2017, but after Coinhive was shut down in 2019, the number of such attacks, according to various reports, decreased or increased again.

Today, attackers emphasize stealth: malicious code, such as karma[.]js, is injected into websites, checks the victim’s device, and starts a background process. Then, via WebSocket or HTTPS, the script receives tasks and sends the results to the management server. Such attacks turn compromised websites into a platform for generating cryptocurrency.

A cybersecurity expert emphasized in a Decrypt commentary that the new schemes do not cause a dramatic drop in performance as before and can remain undetected for months. This makes them especially dangerous for website and server owners.

Although mining remains the primary target, experts note that scripts can be tweaked to steal cryptocurrency keys or data. The greatest risk is posed by web applications and poorly secured hosting services that do not track changes in JavaScript code.

Earlier in June, Kaspersky Lab also reported a surge in hidden mining. The Librarian Ghouls group infected hundreds of Russian devices using similar methods.