Cryptojacking attacks are back again, compromising more than 3,500 websites and silently hijacking users’ browsers to mine Monero, a privacy-focused cryptocurrency. The campaign was uncovered by cybersecurity firm c/side on Tuesday, almost seven years after defunct service Coinhive was shut down after popularizing the tactic since 2017.
According to c/side researchers, the malware is hidden in obfuscated JavaScript code that silently deploys a miner when users visit an infected site. Once a visitor lands on the compromised page, the script quietly evaluates the device’s computing power. Then it launches parallel Web Workers in the background to perform mining operations, without the user’s consent.
By throttling processor usage and routing communication through WebSocket streams, the miner avoids detection, hiding behind normal browser traffic. “The goal is to siphon resources over time, like a digital vampire persistently,” c/side analysts explained.
How the cryptojacking code operates
c/side found a code inserted on a website through a third-party JavaScript file loaded from https://www.yobox[.]store/karma/karma.js?karma=bs?nosaj=faster.mo. Instead of directly mining Monero on initial execution, it first checks if the user’s browser supports WebAssembly, a standard for running applications with high processing demands.
The code then gauges if the device is suitable for mining, and spins up background Web Workers dubbed “worcy,” which handle the mining tasks discreetly and leave the main browser thread undisturbed. Commands and mining intensity levels are inserted from a command-and-control (C2) server via WebSocket connections.
The hosting domain of the JavaScript miner has previously been linked to Magecart campaigns, infamous for stealing payment card details. This could mean the group behind the current campaign have a history in cybercrime.
Threat spreads through website exploits
In recent weeks, cybersecurity sleuths have discovered several client-side attacks on websites running on WordPress. The researchers spotted infection methods that embed malicious JavaScript or PHP code into WP sites.
Attackers have started abusing Google’s OAuth system by embedding JavaScript in callback parameters tied to URLs such as “accounts.google.com/o/oauth2/revoke.” The redirect takes browsers through a cloaked JavaScript payload that establishes a WebSocket connection to the bad actor’s server.
Another method injects scripts via Google Tag Manager (GTM), which is then directly embedded into WordPress database tables like wp_options and wp_posts. This script silently redirects users to over 200 spam domains.
Other approaches include changes in WordPress’s wp-settings.php files to fetch payloads from ZIP archives hosted on remote servers. Once activated, these scripts infect a site’s SEO rankings and add content to improve visibility for scam websites.
In one case, code was injected into a theme’s footer PHP script, causing a browser to redirect a user to malicious websites. Another involved a fake WordPress plugin named after the infected domain that detects when search engine crawlers visit the page. It would then spam content to manipulate search engine rankings, still hidden from human visitors.
C/side mentioned how Gravity Forms plugin versions 2.9.11.1 and 2.9.12 were compromised and distributed through the official plugin site in a supply chain attack. The tampered versions contact an external server to fetch additional payloads and attempt to create an administrative account on the WordPress site.
In Fall 2024, the US Agency for International Development (USAID) fell victim to cryptojacking after Microsoft alerted the agency to a breached administrator account in a test environment. The attackers used a password spray attack to access the system, then created a second account for crypto mining operations via USAID’s Azure cloud infrastructure.
Cryptopolitan Academy: Want to grow your money in 2025? Learn how to do it with DeFi in our upcoming webclass. Save Your Spot
