A massive new cryptojacking campaign has compromised over 3,500 websites globally, signaling a resurgence of browser-based cryptocurrency mining attacks reminiscent of those previously associated with now-defunct services like CoinHive.
According to researchers at c/side, the attackers have embedded a stealth JavaScript miner into compromised websites. This miner is obfuscated and uses Web Workers to run mining tasks in parallel, minimizing detection. “This was a stealth miner, designed to avoid detection by staying below the radar of both users and security tools,” said security researcher Himanshu Anand.
What makes this campaign especially dangerous is its use of WebSockets to retrieve mining instructions from an external server. This allows the attacker to dynamically adjust mining intensity based on the device’s performance capabilities, keeping CPU usage subtle enough to evade user suspicion while continuously generating cryptocurrency in the background.
The full scope of the breach remains unclear, but more than 3,500 websites have reportedly been affected. Notably, the domain hosting the malicious miner has also been linked to Magecart credit card skimming campaigns, indicating that threat actors are diversifying their tactics to maximize financial gain. “Attackers now prioritize stealth over brute-force resource theft, using obfuscation, WebSockets, and infrastructure reuse to stay hidden,” c/side noted. “The goal isn’t to drain devices instantly, it is to persistently siphon resources over time, like a digital vampire.”
These attacks are part of a broader wave of client-side and JavaScript-based threats targeting websites, particularly those built on WordPress and OpenCart. Techniques observed include:
- Injecting malicious JavaScript via Google OAuth callback abuse.
- Using Google Tag Manager (GTM) scripts stored in WordPress databases to redirect users to spam websites.
- Compromising WordPress PHP files, such as wp-settings.php and theme footers, to deploy redirect or spam code.
- Disguising malware as a fake WordPress plugin that activates only when search engine crawlers are detected.
Launching a supply chain attack via tampered versions of the Gravity Forms plugin, which adds hidden admin users and blocks legitimate updates.
The developers behind Gravity Forms, RocketGenius, confirmed: “If it succeeds in executing this payload, it will then attempt to add an administrative account. That opens a back door to a range of other possible malicious actions.”
The return of covert browser-based cryptomining, now paired with search engine manipulation and form hijacking, highlights the growing complexity and persistence of modern web threats.
