- Over 3,500 websites have hidden Monero mining scripts installed through a malicious injection chain.
- Hackers are reusing old access points, mainly on unpatched and e-commerce servers, to deliver these scripts.
- The mining Malware limits the use of system resources to avoid detection by standard security tools.
- The campaign is ongoing and was first discovered by Cybersecurity company c/side.
- The scripts convert visitors’ browsers into Monero mining engines without stealing passwords or funds.
Attackers have compromised more than 3,500 websites to secretly run Monero mining scripts. The malicious software hijacks visitors’ browsers to mine Monero, a privacy-focused cryptocurrency, without user consent.
Cybersecurity researchers at c/side discovered the attack, which is still active. The Hackers delivered the mining script through a chain of malicious injections, often targeting unpatched websites and e-commerce servers.
The mining malware is designed to operate quietly. It limits CPU (computer processing unit) usage and hides network traffic using WebSocket streams to reduce the chances of being noticed by security tools. According to c/side, “By throttling CPU usage and hiding traffic in WebSocket streams, it avoided the telltale signs of traditional crypto jacking,” as disclosed in their recent blog post.
An unnamed security researcher stated to Decrypt that the hackers are leveraging infrastructure from previous campaigns, including access gained during past Magecart attacks. Magecart is a tactic involving the injection of code into online checkout pages to steal payment information. The attackers reportedly placed the Monero miner by adding an extra script to already-compromised sites: “Planting the miner was trivial, they simply added one more script to load the obfuscated JS, repurposing existing access.”
Unlike past attacks that overloaded users’ CPUs, the current approach uses WebAssembly code, which allows efficient mining, paired with WebSockets for constant, low-key server communication. The new scripts are designed to remain undetected, capping resource use so browsers do not show abnormal behavior.
The primary goal appears to be long-term, Passive income for attackers. The malware does not currently steal passwords or drain crypto wallets, although it could potentially be adapted to do so. The main targets are web server and app owners, not end users.
Cryptojacking, the hidden mining of cryptocurrency on someone else’s device, became widely known in 2017 with the rise of Coinhive, a service that was shut down in 2019. Since then, reports on its frequency have been mixed, but this new low-profile campaign points to a shift in how attackers are operating. For more background or technical analysis, visit the official disclosure from c/side.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Beself Brands, BeToken, and the Breakthrough that Put Spain at the Vanguard of Innovation
- Opendoor Stock Soars 860%, Triggers Halts Amid Retail Frenzy
- ARK Invest Dumps Coinbase, Roblox for $174M Bet on Ethereum Firm
- Monero 0.18.4.1 ‘Fluorine Fermi’ Release Tagged, Binaries Soon
- Ring Users Alarmed by Mysterious Logins, Amazon Blames Bug
