Mitrade Insights is dedicated to providing investors with rich, timely and most valuable financial information to help investors grasp the market situation and find timely trading opportunities.

2021

Best News & Analysis Provider

FxDailyInfo

2022

Best Forex Educational Resources Global

International Business Magazine

Insights

News

Cryptocurrencies

Monero mining malware hits 3,500+ sites as cryptojacking attacks make a comeback

Source Cryptopolitan

Cryptojacking attacks are back again, compromising more than 3,500 websites and silently hijacking users’ browsers to mine Monero, a privacy-focused cryptocurrency. The campaign was uncovered by cybersecurity firm c/side on Tuesday, almost seven years after defunct service Coinhive was shut down after popularizing the tactic since 2017.

According to c/side researchers, the malware is hidden in obfuscated JavaScript code that silently deploys a miner when users visit an infected site. Once a visitor lands on the compromised page, the script quietly evaluates the device’s computing power. Then it launches parallel Web Workers in the background to perform mining operations, without the user’s consent.

By throttling processor usage and routing communication through WebSocket streams, the miner avoids detection, hiding behind normal browser traffic. “The goal is to siphon resources over time, like a digital vampire persistently,” c/side analysts explained.

How the cryptojacking code operates

c/side found a code inserted on a website through a third-party JavaScript file loaded from https://www.yobox[.]store/karma/karma.js?karma=bs?nosaj=faster.mo. Instead of directly mining Monero on initial execution, it first checks if the user’s browser supports WebAssembly, a standard for running applications with high processing demands.

The code then gauges if the device is suitable for mining, and spins up background Web Workers dubbed “worcy,” which handle the mining tasks discreetly and leave the main browser thread undisturbed. Commands and mining intensity levels are inserted from a command-and-control (C2) server via WebSocket connections.

The hosting domain of the JavaScript miner has previously been linked to Magecart campaigns, infamous for stealing payment card details. This could mean the group behind the current campaign have a history in cybercrime.

Threat spreads through website exploits

In recent weeks, cybersecurity sleuths have discovered several client-side attacks on websites running on WordPress. The researchers spotted infection methods that embed malicious JavaScript or PHP code into WP sites.

Cryptojacking hits markets, Monero miner malware targets 3,500+ sites — Coinhive short url. Source: Malwarebytes.com

Attackers have started abusing Google’s OAuth system by embedding JavaScript in callback parameters tied to URLs such as “accounts.google.com/o/oauth2/revoke.” The redirect takes browsers through a cloaked JavaScript payload that establishes a WebSocket connection to the bad actor’s server.

Another method injects scripts via Google Tag Manager (GTM), which is then directly embedded into WordPress database tables like wp_options and wp_posts. This script silently redirects users to over 200 spam domains.

Other approaches include changes in WordPress’s wp-settings.php files to fetch payloads from ZIP archives hosted on remote servers. Once activated, these scripts infect a site’s SEO rankings and add content to improve visibility for scam websites.

In one case, code was injected into a theme’s footer PHP script, causing a browser to redirect a user to malicious websites. Another involved a fake WordPress plugin named after the infected domain that detects when search engine crawlers visit the page. It would then spam content to manipulate search engine rankings, still hidden from human visitors.

C/side mentioned how Gravity Forms plugin versions 2.9.11.1 and 2.9.12 were compromised and distributed through the official plugin site in a supply chain attack. The tampered versions contact an external server to fetch additional payloads and attempt to create an administrative account on the WordPress site.

In Fall 2024, the US Agency for International Development (USAID) fell victim to cryptojacking after Microsoft alerted the agency to a breached administrator account in a test environment. The attackers used a password spray attack to access the system, then created a second account for crypto mining operations via USAID’s Azure cloud infrastructure.

Cryptopolitan Academy: Want to grow your money in 2025? Learn how to do it with DeFi in our upcoming webclass. Save Your Spot

Disclaimer: For information purposes only. Past performance is not indicative of future results.

Recommended Articles

Natural Gas sinks to pivotal level as China’s demand slumps Natural Gas price (XNG/USD) edges lower and sinks to $2.56 on Monday, extending its losing streak for the fifth day in a row. The move comes on the back of China cutting its Liquified Natural Gas (LNG) imports after prices rose above $3.0 in June. It

Author FXStreet

Jul 01, 2024

Natural Gas price (XNG/USD) edges lower and sinks to $2.56 on Monday, extending its losing streak for the fifth day in a row. The move comes on the back of China cutting its Liquified Natural Gas (LNG) imports after prices rose above $3.0 in June. It

ECB Policy Outlook for 2026: What It Could Mean for the Euro’s Next Move With the ECB likely holding rates steady at 2.15% and the Fed potentially extending cuts into 2026, EUR/USD may test 1.20 if Eurozone growth proves resilient, but weaker growth and an ECB pivot could pull the pair back toward 1.13 and potentially 1.10.

Author Mitrade

Dec 26, 2025

With the ECB likely holding rates steady at 2.15% and the Fed potentially extending cuts into 2026, EUR/USD may test 1.20 if Eurozone growth proves resilient, but weaker growth and an ECB pivot could pull the pair back toward 1.13 and potentially 1.10.

My Top 5 Stock Market Predictions for 2026 Five 2026 market predictions written in a native, news-style voice: AI’s winners and losers, broader sector leadership, dividend demand, valuation cooling as the Shiller CAPE sits at 39 (Dec. 31, 2025), and quantum-computing bursts—while keeping all original facts and numbers unchanged.

Author Mitrade

Jan 06, Tue

Five 2026 market predictions written in a native, news-style voice: AI’s winners and losers, broader sector leadership, dividend demand, valuation cooling as the Shiller CAPE sits at 39 (Dec. 31, 2025), and quantum-computing bursts—while keeping all original facts and numbers unchanged.

Silver Price Analysis: Climbs above $80, as bulls eye weekly high Silver price advances more than 2.50% on Friday, set to end the week with gains of over 7% sponsored by US Dollar weakness and falling oil prices. At the time of writing, the XAG/USD trades at $80.72, after bouncing off daily lows of $78.16.

Author FXStreet

May 09, Sat

Silver price advances more than 2.50% on Friday, set to end the week with gains of over 7% sponsored by US Dollar weakness and falling oil prices. At the time of writing, the XAG/USD trades at $80.72, after bouncing off daily lows of $78.16.

Gold slumps below $4,700 on Trump rejection of Iran peace proposal Gold price (XAU/USD) falls to around $4,690 during the early Asian session on Monday. The precious metal attracts some sellers after US President Donald Trump rejected Iran’s latest peace offer to end the 10-week conflict choking the Strait of Hormuz, fanning inflation fears.

Author FXStreet

3 hours ago

Gold price (XAU/USD) falls to around $4,690 during the early Asian session on Monday. The precious metal attracts some sellers after US President Donald Trump rejected Iran’s latest peace offer to end the 10-week conflict choking the Strait of Hormuz, fanning inflation fears.

Popular Symbols