Introduction

Sometimes a single careless click like downloading cracked software or opening a suspicious attachment is all it takes for a hidden program to slip into your system. It won’t lock your files or display ransom messages. Instead, it quietly uses your computer’s processing power to mine cryptocurrency for someone else, often for months before being noticed.

This silent type of cyberattack is known as cryptojacking. In this blog, we’ll explain how cryptojacking works, review recent real-world cases, highlight the hidden costs for victims, and share practical methods to prevent these attacks.

What is Cryptojacking and How Does it Work?

Cryptojacking is when attackers secretly use a device’s processing power to mine cryptocurrency. Unlike other malware that steals data or damages files, cryptojackers focus on staying hidden and running quietly in the background.

There are two common forms of cryptojacking:

  • File-based cryptojacking : A malicious program gets installed through infected downloads, phishing attachments, or tampered updates. It keeps mining even after restarts.
  • Browser-based cryptojacking : Malicious JavaScript hidden in websites or ads uses your CPU while the page is open, stopping only when you leave.

A cryptojacker’s goal is to stay hidden while continuously mining. Here’s the typical process:

Recent Real-World Cases

Cryptojacking isn’t just an old trick , it’s evolving.

GreedyBear: Multi-Channel Crypto Theft at Scale

Fake website , Image source : Koi Security

GreedyBear is a newly exposed attack group operating at an industrial scale, combining multiple tactics to steal cryptocurrency and credentials. Reports link the group to:

  • 150+ weaponized Firefox extensions impersonating popular wallets like MetaMask, TronLink, Exodus, and Rabby. Using a technique called Extension Hollowing, they first published harmless-looking add-ons, built fake positive reviews, and later replaced the code with credential-stealing scripts that also sent victims’ IP addresses to attacker-controlled servers.
  • Nearly 500 malicious executables tied to the same infrastructure, including credential stealers (like LummaStealer), ransomware variants, and generic trojans, often spread via cracked or pirated software on Russian websites.
  • Multiple scam websites posing as legitimate crypto products and services, such as fake wallet repair tools and counterfeit hardware wallets, designed to harvest sensitive data and payment details.

    • Connection graph , Image source : Koi Security

    All these operations connect back to a single central server (185.]208.]156.]66), acting as a hub for command-and-control, data exfiltration, and scam site hosting.

    JINX-0132: Cryptojacking DevOps at Scale

    In June 2025, security researchers uncovered a cryptojacking campaign they named JINX-0132. Unlike the usual malware that hides on personal devices, this one went straight for the backbone of modern businesses: DevOps tools.

    Over 5,300 Consul servers and more than 400 Nomad servers were openly accessible online, making them prime targets.Most exposed systems were located in the United States, China, Germany, Singapore, Finland, the Netherlands, and the United Kingdom.

    Some hacked Nomad clusters were running on hundreds of servers at once. Together, the stolen CPU and memory power added up to tens of thousands of dollars in cloud bills every month , all secretly mined by the attackers.

    Attackers pulled their mining tools from public GitHub projects instead of using their own servers, making it harder to trace them. They abused weak points in common DevOps tools:

    • Nomad’s open API let them create mining jobs.
    • Consul health checks were misused to run malicious commands.
    • Docker APIs were used to launch containers running miners.
    • Gitea flaws like unsecured install pages gave them a way in.

    This campaign is a reminder that cryptojacking isn’t just about slowing down your laptop anymore. The battleground has shifted to the cloud and enterprise infrastructure, where a single weak configuration can become a goldmine for attackers.

    Trojan.Scavenger: Gamers Turned into Mining Farms

    In mid-2025, researchers discovered a new malware family called Trojan.Scavenger and it was aimed squarely at gamers. Instead of targeting corporate networks or cloud servers, attackers hid this trojan inside cheats and mods for popular titles like GTA V and Oblivion Remastered.

    At first glance, the downloads looked like harmless performance patches or game tweaks. But once installed, they carried out a clever trick known as DLL Search Order Hijacking, which let the malware load itself every time the game launched.

    It stole login credentials and crypto wallet data, targeting tools like MetaMask, Exodus, and Phantom. It even went after password managers such as Bitwarden and LastPass, giving attackers broad access to sensitive accounts. In some cases, it quietly turned gaming PCs into crypto-mining rigs, running in the background without raising suspicion.

    Because gaming computers often have high-end GPUs and powerful CPUs, they’re a perfect target for cryptojackers. For many victims, the first signs were strange such as louder fans, overheating, or performance drops during gameplay but by then, their machines had been mining cryptocurrency for someone else.

    Docker Malware: Mining Inside Containers

    As more companies adopt containerized environments for speed and scalability, attackers are following close behind. Security researchers uncovered a new cryptojacking campaign designed specifically for Docker.

    Instead of going after individual laptops, the attackers planted malicious Docker images and scanned for exposed Docker APIs. Once inside, they deployed miners that ran quietly inside containers hidden away from traditional monitoring tools.

    Image Source : https://securel

    Over 1,000 Docker APIs were found misconfigured and publicly accessible, providing easy entry points for attackers. A worm-like variant, nicknamed Commando Cat, was able to move from container to container, using the chroot command to escape Docker and backdoor the host system.

    What made this campaign stand out was its evasion techniques:

    • The malware disguised CPU usage and masked outbound traffic to mining pools, making it harder for admins to spot unusual activity.
    • It spread through compromised container images, which could be downloaded by unsuspecting developers and reused in production environments.
    • Victims often noticed only after experiencing sluggish applications or receiving unexpectedly high cloud infrastructure bills.

    This incident shows how cryptojackers are adapting to the cloud-native era. Docker and other container platforms make deployment fast and easy but when security takes a backseat, they can also become perfect entry points for large-scale, stealthy mining operations.

    Librarian Ghouls: Hacktivism Meets Cryptojacking

    In June 2025, Kaspersky published an in-depth report on a group they call Librarian Ghouls (also tracked as Rare Werewolf and Rezet). This APT has been active since early 2025, focusing heavily on targets in Russia and the CIS. While initially linked to classic data-theft campaigns, investigators found the group was also deploying cryptojacking malware to quietly monetize its operations.

    The infection chain was surprisingly simple but effective:

    • Victims were tricked into running fake tools that looked useful but were actually malicious.
    • Hidden batch files turned off security programs and made sure the miner would keep running.
    • A wakeup script started the cryptominer, which worked quietly in the background until it deleted itself.
    • To avoid getting caught, the attackers used legitimate-looking software so their activity blended in.
    • In total, they hijacked over 5,000 servers and accounts, stealing around $4.4 million worth of computing power.

    The Hidden Costs

    cryptojackers quietly drains resources for weeks or even months before victims realize something is wrong. Here’s how those “invisible” costs add up:

    Performance Drain : When a cryptojacker runs in the background, it constantly uses your computer’s CPU and GPU to mine coins. That leaves fewer resources for you. Everyday tasks from opening a browser to running games or business applications start to feel slow and unresponsive.

    Hardware Stress : Mining is extremely resource-intensive. It pushes processors to run at near 100% capacity for long stretches of time. Overheating becomes common, cooling fans spin at full speed, and hardware components wear out faster than they should.

    Financial Impact : Cryptojacking quietly increases energy consumption. A single infected machine may only raise the power bill slightly, but across multiple computers or servers the costs quickly pile up. In large-scale attacks on businesses or cloud infrastructure, victims have reported tens of thousands of dollars in additional monthly costs.

    Security Risk : If a cryptojacker has made its way into your system, it means your defenses have already been bypassed. That same backdoor can be used to deploy more dangerous malware — from info-stealers to ransomware.

    Prevention Strategies

    The best way to handle cryptojacking is to stop it before it starts. Since these attacks rely on tricking users or exploiting weak systems, simple habits and good security hygiene go a long way:

    • Keep Everything Updated : Operating systems, browsers, plugins, and enterprise tools like Docker or Kubernetes should always be patched. Cryptojackers often exploit misconfigurations or old vulnerabilities.
    • Secure Your Browser : Installing extensions like NoScript, miner-blocking add-ons, or even just a reliable ad-blocker can help stop browser-based cryptojacking attempts.
    • Be Careful with Downloads : Avoid pirated software, cracked apps, or untrusted mods. Many cryptojackers (like Trojan.Scavenger) hide inside these files.
    • Monitor Cloud and Server Usage : For businesses, cryptojacking often shows up as unexplained spikes in cloud bills or CPU usage. Continuous monitoring and setting up alerts for unusual consumption can help catch infections early, especially in DevOps environments.

    References

    https://www.koi.security/blog/greedybear-650-attack-tools-one-coordinated-campaign

    https://thehackernews.com/2025/06/cryptojacking-campaign-exploits-devops.html

    https://news.drweb.com/show/?c=5&i=15036&lng=en

    https://securelist.com/dero-miner-infects-containers-through-docker-api/116546/

    https://securelist.com/librarian-ghouls-apt-wakes-up-computers-to-steal-data-and-mine-crypto/116536/

    https://www.it-daily.net/en/shortnews-en/cryptojacking-campaign-abuses-devops-apis-with-github-tools

    https://thehackernews.com/2025/06/cryptojacking-campaign-exploits-devops.html

    https://thehackernews.com/2025/05/new-self-spreading-malware-infects.html

    Conclusion

    Cryptojackers don’t care about your photos or passwords , they want your processing power. The theft is silent, the damage gradual, and the profits theirs.

    Stay alert, monitor your systems, and remember:

    “If your computer sounds like it’s working hard for no reason, it might be working for someone else.”

Related Posts

Copyright © TechOwlShield. All rights reserved.