Monero Mining Malware Infects Over 3,500 Sites—Cryptojacking Resurges in 2025
Cybercriminals are back with a vengeance—hijacking websites to mine Monero while you scroll.
How it works: Malicious scripts sneak into vulnerable sites, turning visitors' CPUs into crypto-mining slaves. No clicks required—just landing on the page kicks off the attack.
The scale: Over 3,500 sites already compromised this year, according to security researchers. Targets range from small blogs to enterprise portals.
Why Monero? Privacy features make it the go-to coin for digital thieves—untraceable payouts beat Bitcoin’s transparent ledger any day.
Wall Street takeaway: Hackers understand ROI better than most hedge funds—why steal credit cards when you can mint money silently?
How the cryptojacking code operates
c/side found a code inserted on a website through a third-party JavaScript file loaded from https://www.yobox[.]store/karma/karma.js?karma=bs?nosaj=faster.mo. Instead of directly mining Monero on initial execution, it first checks if the user’s browser supports WebAssembly, a standard for running applications with high processing demands.
The code then gauges if the device is suitable for mining, and spins up background Web Workers dubbed “worcy,” which handle the mining tasks discreetly and leave the main browser thread undisturbed. Commands and mining intensity levels are inserted from a command-and-control (C2) server via WebSocket connections.
The hosting domain of the JavaScript miner has previously been linked to Magecart campaigns, infamous for stealing payment card details. This could mean the group behind the current campaign have a history in cybercrime.
Threat spreads through website exploits
In recent weeks, cybersecurity sleuths have discovered several client-side attacks on websites running on WordPress. The researchers spotted infection methods that embed malicious JavaScript or PHP code into WP sites.
Attackers have started abusing Google’s OAuth system by embedding JavaScript in callback parameters tied to URLs such as “accounts.google.com/o/oauth2/revoke.” The redirect takes browsers through a cloaked JavaScript payload that establishes a WebSocket connection to the bad actor’s server.
Another method injects scripts via Google Tag Manager (GTM), which is then directly embedded into WordPress database tables like wp_options and wp_posts. This script silently redirects users to over 200 spam domains.
Other approaches include changes in WordPress’s wp-settings.php files to fetch payloads from ZIP archives hosted on remote servers. Once activated, these scripts infect a site’s SEO rankings and add content to improve visibility for scam websites.
In one case, code was injected into a theme’s footer PHP script, causing a browser to redirect a user to malicious websites. Another involved a fake WordPress plugin named after the infected domain that detects when search engine crawlers visit the page. It WOULD then spam content to manipulate search engine rankings, still hidden from human visitors.
C/side mentioned how Gravity Forms plugin versions 2.9.11.1 and 2.9.12 were compromised and distributed through the official plugin site in a supply chain attack. The tampered versions contact an external server to fetch additional payloads and attempt to create an administrative account on the WordPress site.
In Fall 2024, the US Agency for International Development (USAID) fell victim to cryptojacking after Microsoft alerted the agency to a breached administrator account in a test environment. The attackers used a password spray attack to access the system, then created a second account for crypto mining operations via USAID’s Azure cloud infrastructure.
Cryptopolitan Academy: Want to grow your money in 2025? Learn how to do it with DeFi in our upcoming webclass. Save Your Spot
