A sophisticated, large-scale cryptojacking campaign has compromised over 3,500 websites globally through the injection of stealthy JavaScript-based cryptocurrency miners. This resurgence of browser-based mining echoes the earlier era of CoinHive, but with marked advancements in stealth and persistence techniques. Security researchers from c/side have closely analyzed the campaign and warned of the broad, multi-pronged threats posed by these attackers.
The Modern Stealth Cryptominer: Tactics and Technology
Unlike earlier cryptojacking efforts that drew attention by overwhelming user CPUs, this campaign leverages heavily obfuscated JavaScript code designed to evade both users and conventional security tools. Notably, the miner script dynamically assesses the computational resources of each visitor’s device, employing background Web Workers to spread mining activity across multiple threads.
Central to its evasion tactics, the miner communicates with an external command server via the WebSocket protocol. This architecture enables the attacker to deliver new mining tasks in real time and throttle resource consumption dynamically. As a result, the mining script deliberately stays below detectable CPU usage thresholds, prolonging its unauthorized activity while minimizing the risk of detection by users, endpoint monitoring, or antimalware platforms.
Attack Vectors: Exploiting Website Supply Chains
While the precise initial intrusion methods for this cryptojacking wave remain under investigation, several contemporary attack strategies align with the observed technical behaviors:
- JavaScript Embeds via OAuth Abuse: Some attacks exploit the callback parameters of Google OAuth endpoints, redirecting user sessions to obfuscated scripts which, in turn, establish malicious WebSocket connections with attacker infrastructure.
- Google Tag Manager (GTM) Injections: Infiltrators exploit WordPress databases directly, injecting GTM scripts into core tables such as wp_options and wp_posts, enabling the remote loading of malicious JavaScript that often leads to spam or phishing redirections.
- Direct PHP Backdoors: Attackers compromise files like
wp-settings.phpor theme footers within WordPress environments, embedding PHP payloads from compressed archives. These payloads reach out to remote command servers for further instructions, facilitating ongoing content injection, SEO spam, and the boosting of other malicious properties. - Fake and Tampered Plugins: Techniques include distributing WordPress plugins named after contaminated domains—which activate data exfiltration or search manipulation when search engine crawlers are detected—and supply chain attacks delivering backdoored versions of popular plugins such as Gravity Forms (specifically versions 2.9.11.1 and 2.9.12). These fake plugins can thwart update attempts, download additional malicious payloads, and create unauthorized admin accounts, handing complete control of the affected site to the attacker.
Infrastructure Reuse: Linking Cryptojacking and Magecart Crimes
Researchers have identified close ties between the domains delivering these JavaScript miners and those previously used in widespread Magecart payment card skimming operations. This affinity means the infrastructure used for cryptojacking frequently doubles as a platform for exfiltrating sensitive financial data, representing a significant escalation in adversary capability and intent. Magecart-linked attacks, for example, have recently targeted e-commerce sites using the OpenCart CMS in East Asia, injecting false payment forms at checkout and siphoning bank details to attacker-controlled servers.
The Business Model: Persistent, Low-Profile Resource Theft
A key evolution in this latest wave is the strategic shift toward stealth and persistence. By calibrating resource consumption to remain inconspicuous, attackers prioritize continuous, long-term exploitation (“digital vampirism”) over brute-force theft. The dual-use of infrastructure to support both mining and payment card skimming further enhances the attackers’ monetization avenues and agility in deploying opportunistic attacks.
