A Silent Threat: Cryptojacking Returns with New Stealth Techniques
A new wave of covert cryptojacking is sweeping the internet, with over 3,500 websites reportedly infected by hidden Monero mining scripts. Cybersecurity experts at c/side uncovered the large-scale campaign, warning that the malicious code silently hijacks users’ CPU power — without stealing passwords or encrypting files.
Instead of the traditional, noisy malware behavior, this new generation of cryptojacking scripts plays it smart. By limiting CPU usage and disguising its traffic using WebSocket connections, the miner avoids detection by standard antivirus solutions.
How the Attack Works: From Script to Server
Analysts describe a multi-step infection process that starts with injecting a JavaScript file, often named karma[.]js, directly into a website’s codebase. The script then checks for WebAssembly support, assesses the device type and browser capabilities, and starts background mining processes.
The real stealth comes from the communication methods. Using either WebSockets or HTTPS, the malware fetches mining tasks from a command-and-control (C2) server, then quietly sends results back — all while the user browses the site unaware.
Not Just a Coin Theft Tool
While this Monero miner isn’t designed to steal crypto wallets, experts warn that it could be adapted to do just that. The real victims? Website owners and server administrators. Their platforms are being weaponized as free mining hubs for cybercriminals — potentially damaging their performance, SEO rankings, and user trust.
A Look Back: The Evolution of Cryptojacking
Cryptojacking first gained notoriety in 2017 with the rise of Coinhive, a mining service that many later abused. After Coinhive’s shutdown in 2019, reports of cryptojacking declined — or so it seemed.
Now, five years later, it’s back with a vengeance, but far more sophisticated and stealthy. An anonymous cybersecurity expert told Decrypt, “Earlier miners overloaded CPUs. These ones mine quietly — that’s their survival trick.”
How to Protect Your Website and Users
If you’re a website administrator, now’s the time to act. Check for unexpected JavaScript files, especially unfamiliar ones like karma[.]js. Use tools that analyze CPU behavior in real-time and monitor WebSocket traffic to spot anomalies.
You should also apply regular software updates, enforce Content Security Policies (CSP), and consider third-party integrity checks to validate what scripts are running on your site.
Conclusion: Cryptojacking Is Quiet, But Dangerous
Cryptojacking has evolved from a noisy, easy-to-spot attack into a stealthy, profit-driven cybercrime model. The infection of over 3,500 websites proves that even well-maintained platforms can fall victim. By staying vigilant, understanding the new threat vectors, and improving website monitoring protocols, businesses can better defend against this quiet invasion.
