Cryptojacking Campaign Infected Online Thesaurus With Over 5 Million Visitors

Students, authors, and anybody else wishing to improve their vocabulary and language abilities frequently utilize Thesaurus, one of the well-known platforms with 5 million monthly visitors.

Cybersecurity analysts at Group-IB recently found a cryptojacking scheme on a popular Thesaurus site, infecting visitors with malware to mine cryptocurrency and potentially deploy more harmful software.

Group-IB’s 24/7 monitoring spotted malicious archives flagged by Group-IB MXDR, revealing a surge in malware across multiple customer companies with unusual archive names like ‘chromium-patch-nightly.00.[0-9]{3}.[0-9]{3}.zip.’ 

However, the commonality suggested a shared source and unconventional attack.

Cryptojacking Campaign

The malicious archives were sent to Group-IB’s Malware Detonation Platform, where they were analyzed in a secure virtual environment. The archives contained a dropper installing XMRig Coinminer, used for Monero cryptocurrency mining, known for its anonymity features.

Analysts used MXDR’s EDR module to pinpoint the archive source, discovering they were downloaded to the Downloads folder on affected workstations.

Full path to the downloaded archive (Source – Group-IB)

Since the Downloads folder is commonly used for downloads, specialists examined browser history using a built-in Group-IB EDR feature, extracting artifacts to trace the malicious sample’s source.

Forensic data collection (Source – Group-IB)

Group-IB analysts traced a sneaky infection chain, where visiting the thesaurus website led to automatic malicious archive downloads. Intriguingly, the mischief avoided the antonyms section. 

After analyzing with Group-IB Malware Detonation, they checked for dropper activity using Header.ImageFileName filter, finding traces but no actual launch.

Group-IB found no host launches for the downloaded dropper and promptly alerted customers, offering context and prevention tips in the MXDR system’s incident comments section.

Specialist’s comment (Source – Group-IB)

Confirmation from the Malware Detonation Platform instantly neutralizes the threat of the archived file, with Group-IB MXDR’s EDR agent auto-blocking and quarantining malicious files. It also shares malicious file hashes, impacting other customers’ blocklists, even if they never had the file.

Millions trusted the renowned thesaurus site, but it housed a miner, exposing the myth that popular sites are safe. Threat actors used well-known tactics, including drive-by downloads and social engineering via a fake error page.


Here below we have mentioned all the recommendations:-

  • Make sure to keep the operating system and other software updated.
  • Always stick to official sources for software and updates.
  • Monitor workstation resource usage for cryptominer signs through Task Manager or similar tools when CPU/GPU usage spikes unusually.
  • Employ EDR solutions to stop malicious downloads and prevent attacks at the earliest stage.
  • Safely analyze suspicious files with advanced Malware Detonation Platforms.
Tushar Subhra Dutta

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

WordPress POP Chain Flaw Exposes Over 800M+ Websites to Attack

A critical remote code execution vulnerability has been patched as part of the Wordpress 6.4.2 version. This vulnerability exists in…

1 day ago

Russian Star Blizzard New Evasion Techniques to Hijack Email Accounts

Hackers target email accounts because they contain valuable personal and financial information. Successful email breaches enable threat actors to:- Identity…

1 day ago

Exploitation Methods Used by PlugX Malware Revealed by Splunk Research

PlugX malware is sophisticated in evasion, as it uses the following techniques to avoid detection by antivirus programs, making it…

2 days ago

TA422 Hackers Attack Organizations Using Outlook & WinRAR Vulnerabilities

Hackers exploit Outlook and WinRAR vulnerabilities because these widely used software programs are lucrative targets.  Outlook vulnerabilities offer:- Access to…

2 days ago

Bluetooth keystroke-injection Flaw: A Threat to Apple, Linux & Android Devices

An unauthenticated Bluetooth keystroke-injection vulnerability that affects Android, macOS, and iOS devices has been discovered. This vulnerability can be exploited…

3 days ago

Atlassian Patches RCE Flaw that Affected Multiple Products

Atlassian has been discovered with four new vulnerabilities associated with Remote Code Execution in multiple products. The CVEs for these…

3 days ago