Cryptojacking Viruses: What They Are and How to Remove Miners from Your PC

Lately, many people have encountered situations where their computer or phone noticeably slows down and overheats for no apparent reason. One possible cause is a hidden cryptojacking virus.

In this article, we’ll explain in simple terms what malicious miners are, who creates them and why, and how infections occur. We’ll also provide examples of well-known cryptojacking viruses, explain how much money scammers can make from them, teach you how to detect an infection, and most importantly-how to remove a miner.

What Are Miners Viruses?

A Miner Virus is a type of malware that stealthily infiltrates your computer, smartphone or other device and uses its computing resources for cryptocurrency mining (digital coin mining). Simply put, it is a program that turns your device into a ”farm” for mining bitcoins, Monero or other coins, with cybercriminals, not the owner, profiting from the operation of the device.

📍 Miner viruses can infect regular PCs, as well as cell phones and even servers.

The main goal of such malware is to run a hidden miner in the system, which solves mathematical problems around the clock to generate cryptocurrency. At the same time, a miner virus usually runs in the background, without explicit windows or notifications. However, its activity heavily loads the central processor (CPU) and often the video card (GPU) of the computer. As a result, the device begins to noticeably slow down, overheat. Components wear out faster and may fail prematurely.

📍 In other words, a parasite miner consumes your computer's power and resources at your expense and without your knowledge. It doesn't encrypt your files or directly break anything, but it actually steals your power and shortens the life of your hardware

It is important to understand that mining programs (miners) themselves can be legal. Some users deliberately install them to mine cryptocurrency. In the case of a mining virus, we are talking about unauthorized mining - when a miner runs on a device secretly, against the owner's will. Such applications often fall into the Riskware (potentially dangerous software) category of antiviruses - technically they are not viruses, but they are used by attackers to their detriment. Therefore, usual antivirus may not immediately recognize a hidden miner as a threat if the option to search for such programs is not enabled.

Who creates malicious miners and why

Miner viruses are developed and distributed by cybercriminals. Sometimes organized hacker groups are behind such attacks, pursuing primarily financial gain. Mining cryptocurrency brings them money, and using other people's devices allows them to mine coins with virtually no equipment and electricity costs.

Essentially, attackers have found a way to monetize every infected computer or phone: they mine cryptocurrency on your devices, your electricity and your components - but to their own benefit.

These attacks are often referred to as cryptojacking (from cryptojacking). They became popular in the late 2010s when cryptocurrency prices rose.

Miner viruses work covertly, so victims may not realize they are infected for a long time. This is beneficial to hackers: unlike ransomware (encryption viruses), which immediately announce themselves and demand a ransom, miners can secretly mine coins for months. An infected device slows down a bit, but many users attribute this to age or random malfunctions and do not immediately sound the alarm.

Attackers are constantly coming up with new ways to stealthily install miners on devices because it is very profitable for them. In addition, some miner viruses are part of complex, multifunctional malware. In addition to mining, they can, for example, steal data or provide hackers with remote access to the system.

Thus, the motives of the creators of miners are not only to make money from cryptocurrency, but also to be able to use infected machines for other criminal purposes (for example, in botnets for DDoS attacks).

How infection occurs and whether phones can be infected

Malicious miner itself doesn't usually make its way onto a device - it must be installed in some way by an attacker or malware dropper. There are several main ways to get infected with a malicious miner virus:

Downloading infected programs

Often a miner is disguised as pirated versions of popular programs or games, Windows activators, crackers and the like. A user downloads such a file from a torrent or third-party site, runs the installer, and the miner is invisibly installed along with the desired program. In one case, the hidden XMRig miner was distributed under the guise of a free version of a well-known computer game, and thousands of users fell victim to it.

Through special delivery viruses

Attackers can use droppers - small viruses that infiltrate a PC (for example, through vulnerabilities or together with other software) and then download the miner itself from the Internet. Such a dropper can even set up the autorun of the miner and disguise it in the system. You may not even notice that something has been installed, as there will be no visible signs of installation.

Email and phishing

The classic way: you receive an email with an infected attachment (for example, a Word file with a macro, an archive or a program). If you open such a file, it may launch a script that downloads and installs a virus-miner. Or the email contains a link to a phishing site where you are offered to download an ”update” or the required file, and in the end you get a miner.

Exploits and network worms

Some advanced miners spread themselves by exploiting operating system vulnerabilities. For example, the WannaMine virus uses exploits for Windows and is able to spread over a local network to other machines. All it takes is for one computer on the network to become infected via the Internet and the virus-miner will infiltrate other vulnerable PCs on the network without user involvement.

Through browser scripts (cryptojacking)

Although strictly speaking this is not a virus, let's mention: sometimes mining happens right in the browser when you visit a certain website. Attackers embed a JavaScript miner (such as the CoinHive script) on a web page - and while you're on it, your browser starts mining cryptocurrency. Once you close the page, mining stops. In this case, the device is not infected, but the symptoms (slowdown, CPU load) are similar. Script and ad blockers can help you protect yourself.

Can smartphones be infected with miners

Yes, mobile devices are at risk too. Virus miners exist for Android and theoretically even for iOS (although cases are extremely rare on the iPhone due to the closed nature of the system). On Android, however, we know of many incidents when hidden miners were embedded in applications. And you can even get infected via Google Play: there have been cases when seemingly legal apps (such as soccer streaming or VPNs) with a hidden miner embedded in the official store.

Here's how it works. You install an ordinary-looking application and actually use it, but in parallel it secretly mines cryptocurrency for scammers. It is difficult to notice it - the phone can get hot while the application (video, game) is running, and the user does not suspect anything.

An example of a mobile virus-miner is HiddenMiner. This malware was discovered in third-party Android apps and is capable of seriously damaging the phone's battery due to the constant load. In 2018, the Loapi virus was described, which so overheated an infected smartphone that it deformed the battery. So mobile miners are a real danger.

The most common infection scenario is downloading and running a file from an unreliable source(pirated software, email attachment, fake update), after which a hidden miner is installed on the system. On phones - installation of an application not from the official store or infection through a vulnerability/fake application in the store. Always be careful with what you install.

Examples of known malicious miners

There are many varieties of virus-miner viruses. Let's list a few of the most famous examples:

CoinMiner. This is a generic name for a variety of Trojan miners. It most often infiltrates your computer via infected email attachments, phishing sites, or malicious files on the Internet. Once infected, it uses system resources to mine cryptocurrency (e.g., Monero) without the owner's knowledge. The name CoinMiner appears in antivirus signatures (for example, Trojan.CoinMiner) for such threats.

XMRig. A popular Monero mining software that attackers actively deploy covertly. XMRig itself is a legitimate open-source miner, but it is often packaged as a virus. For example, in 2025, a new virus based on XMRig was discovered disguised as an installer of a famous game. Thousands of users became victims - the XMRig miner slowed down their computers, disabled them and even stole data. Antiviruses usually detect such threats as Trojan.Win32.XMRig or a similar name.

WannaMine. A malicious miner named after the WannaCry ransomware. It is able to self-propagate, using Windows vulnerabilities (EternalBlue exploits and others) to infect computers on a local network. WannaMine installs a miner (usually for Monero) and can combine stealthy mining with other malicious activities. This virus has clearly shown that miners can spread like network worms.

HiddenMiner. The already mentioned mobile (Android) miner. It hides inside applications (most often distributed through third-party app stores). After installation, it stealthily starts mining cryptocurrency, which causes the device to become very warm, the battery may suffer up to physical damage. There is no interface or icon - the user may not even realize that the cause of overheating is a virus.

Smominru. One of the largest known mining botnets. At its peak, it infected more than 500,000 Windows servers around the world. Used their power to mine Monero. Researchers estimated the profits of Smominru's creators at millions of dollars. The botnet was active for several years, constantly changing and demonstrating the scale of hidden mining attacks.

Others: CryptoNight, PowerGhost, Darwin and many other malicious miners have appeared over the years. Some, in addition to mining, steal sensitive data - for example, the Rarog trojan not only mines, but can also intercept user logins and passwords. New versions of miners are constantly improving, trying to bypass defenses and increase their production.

📍 Miner viruses can attack different platforms (Windows, Linux, Android), use different distribution methods and carry additional dangers (data theft, botnet creation). But they all have one thing in common: using your device to enrich attackers.

How much scammers can earn from miners

A question that interests many people: is the profit from hidden mining really significant? The answer is yes, it is! Although each individual computer brings the attackers relatively little (for example, a few cents or dollars per day, depending on the power and the cryptocurrency exchange rate), in a mass infection, thousands of devices are involved, and the profits add up to large sums.

To illustrate, a few facts and estimates:

• Experts noted that by 2018, about 5% of all Monero (XMR) cryptocurrency in circulation was mined illegally through malicious mining. At the time, this amounted to approximately $175 million dollars! Monero is a popular coin with attackers due to the anonymity of transactions and the fact that it can be efficiently mined on CPUs. These statistics show the scale of the problem: a significant percentage of coins were obtained not by honest means, but by infecting devices around the world.
• Kaspersky Lab experts estimate that the use of miner botnets allowed cybercriminals to earn more than $7 million in just the second half of 2017. And the profit of one of the hidden mining groups amounted to $5 million in that period. This is only for 6 months and only according to known data - the real figure may be even higher.
• Specific examples: the Smominru botnet (mentioned above) is estimated to have accumulated tens of thousands of dollars for its owners every month, and could bring in several million dollars over the course of its existence. Another case - attackers from China using hidden mining and malicious plugins infected about 1 million computers and earned over $2 million in cryptocurrency.

How to determine if your device is infected with a miner

Virus miners try to act covertly, but still give themselves indirect signs. Below we list the main symptoms by which you can suspect that there is a hidden miner on your computer or phone.

1. Performance drops

One of the first red flags is a sudden drop in performance. If your computer starts to slow down noticeably when performing common tasks, and your smartphone starts to lag on simple applications, you should be wary.

2. The device is warming up a lot

Often miner-infected devices are also too warm: for example, your laptop or phone is hot to the touch, even when you're not running anything resource-intensive. PC coolers may make noise constantly at high speeds. All this is the result of the virus-miner loading the processor (and/or video card) almost to full capacity, taking resources away from your programs.

3. suspicious programs are running on your device

Task Manager may show suspicious activity. Pay attention to the screenshot and the first program in the list. The user obviously did not launch an application with this name, and meanwhile this process is actively consuming system resources. A hidden miner can manifest itself in a similar way: it masquerades as something invisible and eats up power. If you see something like this in the list of processes, it's a reason to be wary.

4. Constantly high CPU/GPU utilization

Your computer even at idle (when you are not performing heavy tasks) is loaded at 70-100%. Open ”Task Manager” (Ctrl + Shift + Esc in Windows) and see if there is a process that steadily consumes a lot of resources (for example, more than 50% of CPU). On the phone it is similar: the device is heavily loaded even without open applications.

📍 The load may jump or disappear when you try to track it. Cunning miners can suspend their work if the user opens Task Manager or system monitoring. For example, you notice that the computer is slowing down, but as soon as you open the Task Manager - the CPU load immediately drops and no suspicious processes are visible. When you close the task manager, the coolers spin up again. This is a clear sign of a hidden miner, which hides when you try to detect it. Don't let yourself be fooled by such maneuvers.

5. Slowdown and lags

The system responds to actions with delays, programs open longer than usual, video may slow down. Games start to freeze, FPS decreases, although everything was normal before. This is a direct consequence of power being stolen by a miner.

6. The device is quickly discharging

If your computer's coolers are humming at full speed all the time, or your smartphone is getting noticeably hot and discharging quickly, even though you hardly use it - hidden mining is possible. The miner needs maximum performance, which leads to strong heating of components and, in the case of the phone, to rapid battery drain.

7. Antivirus alarm messages

If the installed antivirus suddenly started issuing warnings about detected Trojan.Miner or blocking some processes/files mentioning ”coin” or ”miner” - the system is most likely infected. Modern antiviruses are able to recognize many miners. For example, the built-in Windows Defender marks some of them as Trojan:Win32/CoinMiner. Pay attention to such signals and immediately follow the treatment recommendations.

📍 There may also be warnings from system administrators or ISPs. In rare cases, if your device is on a corporate network, admins may determine from the load that there is a miner on the PC. Or your ISP may notify you about suspicious activity (for example, if a botnet miner participates in DDoS attacks). Then you should definitely check the system.

8. Increased traffic or suspicious activity on the network

Usually, miners do not consume a lot of Internet traffic (they only need to send the results of calculations and receive tasks, which is insignificant). However, if the miner is part of a botnet, it may communicate with the management server. You may notice unknown connections in your firewall or an increase in outbound traffic. This sign is generally less obvious, but in combination with others may indicate a problem.

How to remove a miner

Let's take a look at ways that will help you remove the miner from your device.

Remove miner from PC manually

Let's try to get rid of the miner virus on our own, without reinstalling the system and without special utilities. Important: manual removal requires caution. You will have to work with system processes and files, so follow the steps carefully. If you are not sure of your actions, go straight to the next section, where automatic removal methods are described. But in most cases, manual removal is feasible and allows you to remove Miner from PC completely.

Here are step-by-step instructions on how to remove the miner from PC manually:

1. Disconnect your device from the internet. This is the first thing you should do if you suspect an infection. Disconnecting it from the network will prevent the virus from communicating with its server and potentially spreading (for example, if the miner is a worm, it won't be able to infect other machines on your network). Plus, some miners may stop working when they lose connectivity, making it easier for you to clean them out. Turn off Wi-Fi or unplug the cable - the computer/laptop should be offline until all steps are completed.
2. Find and terminate the suspicious process. Open Task Manager (Ctrl+Shift+Esc in Windows) and under the Processes tab, track down which process is loading the CPU/GPU (or looks alien). As we discussed, a mining virus often has a strange name or too high a load. If you identify such a process, highlight it and click ”End Task”. This will temporarily stop the miner from running. Note: some miners resist shutdown - they may restart immediately or be protected. But you should try it. If the process immediately revives, terminate again - you should have time in the next steps between its restarts.
3. Determine the location of the miner file. While the process is stopped (or if it is still hanging, but you know its name), find the file of this program on disk. In Task Manager, you can right-click on the process and select ”Open file location”. This will make the task very easy - the folder where the executable .exe of the virus lies will be opened at once. Memorize or copy the path. If for some reason this doesn't work, try searching by process name in Explorer. Often miners are copied somewhere in hidden AppData, Temp folders or even system directories.
4. Remove the virus files. Once you have figured out where the miner file is located, remove that file (and related ones, if any). For example, sometimes along with the main .exe there are additional scripts or configurations lying around - remove the entire folder where the miner was sitting. If the file is not removed (Windows swears that it is occupied by another process), try to reboot in Safe Mode and repeat the removal there - in Safe Mode, extraneous services usually do not run. Also make sure you have administrator privileges to uninstall. Tip:before uninstalling, you can rename the miner file (for example, miner.exe → miner-delete.exe) - this way you will prevent it from running if it is still written somewhere, and then finally erase it.
5. Clean autorun and tasks. It is important not only to kill the current process, but also to remove the ”anchors” through which the miner could automatically start at system startup. Check autoloading: open Task Manager → ”Autoloading” tab and see if there are any unknown or suspicious programs there - disable them. Also open Windows Task Scheduler and look through the tasks - sometimes the miner writes there a task to run its file at intervals or when the user logs on. Delete suspicious tasks. Advanced method: run the registry editor (Win+R -> regedit), and in the Edit - Find menu, enter the file name of the miner or process. If keys are found (for example, in the Run or RunOnce branches) associated with that name, delete them. Be careful in the registry!” Only delete entries that explicitly point to your virus (such as the path to the miner file). This step will ensure that the miner doesn't re-spawn after a reboot.
6. Reboot the computer and check the status. Now you can turn on the internet and reboot the system. After the reboot, observe: whether the fan noise is tired, whether the background load has gone, whether there is again that suspicious process. If everything is clean - congratulations, manually remove the miner from the PC has succeeded. To be sure, it is recommended to perform the final step.
7. Scan your system with an antivirus. Even after manual cleanup, be sure to do a full scan with a trusted antivirus (or several) - this will help remove any possible residue. Run your installed antivirus and run a complete scan of all disks. Free scanners will work too (more on them later). Remove everything that is found. This step is a precaution in case you missed some hidden module or additional component of the virus.

Remove a miner virus with free tools

For most users, it is easier and more reliable to use special utilities and antivirus to automatically find and remove a miner virus. Fortunately, there are many effective programs that can detect hidden miner. Let's take a look at how to remove a miner virus using free tools, step by step.

Note: By ”free tools” we mean either completely free programs or conditionally free ones with a trial period that is enough for cleaning. We will use a combination of such tools.

Step 1: Use the Dr.Web CureIt! scanner One of the best free ways is the Dr.Web CureIt! utility. This is an antivirus scanner from Dr.Web that doesn't require installation and is distributed for free. Download CureIt! from the official Dr.Web website. Close all unnecessary applications and launch the scanner. In the main window, click ”Select objects to scan” and check all disks and partitions (we need a full scan). Start scanning - the scanner will scan your system for known threats, including miners. This can take anywhere from half an hour to several hours, so be patient.

When finished, you will see a list of detected malicious objects. CureIt can recognize many miners and marks them as Trojan.Miner or similar. Click the ”Disarm” (or ”Remove”) button for all threats found and wait for the utility to remove the viruses.

Step 2: Scan your system with your regular antivirus (Microsoft Defender). To be on the safe side, it's worth checking your PC with another tool. If you have Windows 10/11, you have Microsoft Defender (Windows Defender) built in. Make sure it has updated its databases (it usually does this automatically). Open Windows Security Center -> ”Viruses and Threats” -> ”Scanning Options”. Select Complete Scan and run it. Defender will scan your entire system. Even if CureIt has already removed everything, an extra scan won't hurt - different products may find what another one missed.

At the end of the scan, Defender will automatically remove or quarantine the detected threats. Pay special attention to marks like CoinMiner - this is our case. Windows Defender also has an option ”Offline Scan” (offline scanner) - it will reboot your PC and scan the system before Windows starts, which helps catch hidden threats like rootkits. You can run it as well for peace of mind.

Step 3: Alternative free antiviruses. If for some reason the previous steps are not suitable or have failed, you can use other free antivirus utilities. Many well-known vendors offer either free versions or trial for 30 days, which is enough to clean your system once. For example, Malwarebytes Free, Kaspersky Virus Removal Tool, ESET Online Scanner, Zemana AntiMalware Free. All of them know how to find miners.

What to do if the miner is not removed

Sometimes it happens that the miner ”stubborn” and does not want to be removed either manually or through a regular scanner. If you encounter this, try the following steps:

• Run the scan in safe mode. Many antiviruses (like Malwarebytes or KVRT) can be run in safe mode - the malware is not active there and is easier to remove.
• Try another utility. For example, if you only scanned with Defender, download Malwarebytes or Dr.Web in addition - and vice versa.
• Check if the virus has any autoruns left (see step 5 in the manual instructions above). Some antiviruses may delete the file itself, but forget to remove the task in the scheduler, which then re-downloads the miner. It ends up reappearing an hour or two later. Delete tasks and registry keys associated with the miner.
• Contact antivirus product support forums. For example, Malwarebytes or Kaspersky forums have sections where specialists help you clean your system - they can give you a script or a special utility for your case.
• The last option is to reinstall the OS. If nothing helped (which is unlikely for a miner, you can usually remove them), reinstalling Windows/Android from scratch will definitely remove the problem. But this will only work if you don't bring the virus back from backup or run the same infected file again.

How to protect your computer from hidden miners

We have figured out how to remove a miner from your PC and phone. Now a couple of words about prevention: what to do to prevent a miner virus from infecting your device in the future. Many of these tips are universal to any cybersecurity, but following them will greatly reduce the risk of hidden mining.

• Install a reliable antivirus and keep it turned on. A modern antivirus will prevent the installation of a mining virus in most cases. The free built-in Defender is often enough, but you can also use third-party solutions. Regularly update your antivirus databases.
• Update your operating system and programs. Attackers often get in through vulnerabilities. Install Windows, Android and app updates as soon as they are released. Closed vulnerabilities will prevent worms like WannaMine from getting onto your PC.
• Do not download software from unverified sources. Try to avoid pirated copies of programs and games. Saving on a license is not worth the risk of catching a miner. Always prefer official stores (Microsoft Store, App Store, Google Play). If you really need to download something questionable - check the file with antivirus or VirusTotal before you run it.
• Careful with mail and links. Do not open attachments from unknown senders. Do not click on suspicious links from emails and messages. Scammers often send out miners under the guise of documents, photos, important archives and the like. Be vigilant.
• Use an ad and script blocker in your browser. This will protect against web mining and exploitation through malicious ads. Popular extensions include uBlock Origin, AdBlock, NoScript.
• Monitor the status of the device. Periodically check the task manager, CPU/GPU temperature (there are utilities for monitoring). If you notice something wrong - take action immediately, do not wait. Digital hygiene and diligence are the best defense.

By following these tips, you will significantly reduce the chances of encountering hidden mining again.