{"id":25493,"date":"2025-07-22T16:19:51","date_gmt":"2025-07-22T13:19:51","guid":{"rendered":"https:\/\/forklog.com\/en\/hackers-infect-over-3500-websites-with-monero-cryptojacker\/"},"modified":"2025-07-22T16:19:51","modified_gmt":"2025-07-22T13:19:51","slug":"hackers-infect-over-3500-websites-with-monero-cryptojacker","status":"publish","type":"post","link":"https:\/\/u1f987.com\/en\/hackers-infect-over-3500-websites-with-monero-cryptojacker\/","title":{"rendered":"Hackers Infect Over 3,500 Websites with Monero Cryptojacker"},"content":{"rendered":"<p>Cybercriminals have infected more than 3,500 websites with scripts for covert cryptocurrency mining, according to cybersecurity firm <a href=\"https:\/\/cside.dev\/blog\/cryptojacking-is-dead-long-live-cryptojacking\">c\/side<\/a>.<\/p>\n<p>The malware does not steal passwords or lock files. Instead, it uses a small portion of computing power without user consent to mine Monero. The miner avoids suspicious CPU load, making it difficult to detect.\u00a0<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u201cBy limiting CPU usage and disguising traffic through WebSocket connections, this script avoids the typical signs of traditional cryptojacking,\u201d analysts noted.\u00a0<\/p>\n<\/blockquote>\n<p>Cryptojacking refers to the unauthorized use of others&#8217; devices to mine digital assets, typically without the owners&#8217; knowledge. This tactic emerged in 2017 with the launch of the Coinhive service, which was shut down in 2019. At that time, reports on the prevalence of such malware were conflicting: some sources <a href=\"https:\/\/decrypt.co\/8808\/confusion-over-cryptojacking-reports-say-the-technique-is-rising-and-falling\">reported<\/a> a decline in activity, while other labs <a href=\"https:\/\/blog.checkpoint.com\/security\/july-2019s-most-wanted-malware-vulnerability-in-opendreambox-2-0-0-webadmin-plugin-enables-attackers-to-execute-commands-remotely\/\">recorded<\/a> a 29% increase.\u00a0<\/p>\n<p>Five years later, cryptojacking has returned in a more concealed form. Previously, scripts overloaded processors and slowed down devices. Now, the main strategy of the malware is to remain undetected and mine slowly without arousing suspicion, an anonymous cybersecurity expert commented to <a href=\"https:\/\/decrypt.co\/331195\/cryptojacking-resurfaces-as-monero-miner-malware-hits-3500-sites-report\">Decrypt<\/a>.\u00a0<\/p>\n<p>c\/side analysts described the main stages of the attack:\u00a0<\/p>\n<ul class=\"wp-block-list\">\n<li>injection of malicious script \u2014 a JavaScript file (e.g., karma[.]js) is added to the site code, initiating mining;<\/li>\n<li>checking for WebAssembly support, device type, and browser capabilities to optimize load;<\/li>\n<li>creation of background processes;<\/li>\n<li>communication with the control server \u2014 via WebSockets or HTTPS, the script receives mining tasks and sends results to the C2 server, the hackers&#8217; command center.<\/li>\n<\/ul>\n<p>The malware is not aimed at stealing cryptocurrency wallets. However, technically, hackers could exploit such a function. At risk are server and web application owners whose sites become platforms for mining.<\/p>\n<p>Earlier in June, experts from Kaspersky Lab <a href=\"https:\/\/u1f987.com\/en\/news\/analysts-report-new-surge-of-covert-mining-in-russia\">reported<\/a> a new wave of covert mining in Russia. The hacker group Librarian Ghouls, also known as Rare Werewolf, compromised hundreds of Russian devices.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Cybercriminals have infected more than 3,500 websites with scripts for covert cryptocurrency mining, according to cybersecurity firm c\/side. The malware does not steal passwords or lock files. Instead, it uses a small portion of computing power without user consent to mine Monero. The miner avoids suspicious CPU load, making it difficult to detect.\u00a0 \u201cBy limiting [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":25492,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"","news_style_id":"","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[44],"class_list":["post-25493","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-cybercrime"],"aioseo_notices":[],"amp_enabled":true,"views":"157","promo_type":"","layout_type":"","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/25493","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/comments?post=25493"}],"version-history":[{"count":0,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/25493\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media\/25492"}],"wp:attachment":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media?parent=25493"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/categories?post=25493"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/tags?post=25493"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}