Cryptojacking within a miner fleet often begins silently and scales quickly; detecting it requires layered monitoring that blends host telemetry, network analysis, and fleet-wide baselines. ESET researcher Robert Lipovsky at ESET and Kaspersky researcher Fedor Sinitsyn at Kaspersky have documented campaigns where cryptominers persist by injecting into legitimate processes and by communicating with remote mining pools, demonstrating the need for both behavioral and signature-aware detection.
Host-level and process monitoring
Effective detection starts at the host. Continuous collection of CPU and GPU utilization, process creation events, and command-line arguments reveals deviations from an individual miner’s normal profile. baseline metrics for hash rates, CPU temperature, and power draw allow detection of anomalous increases or stealthy drops that suggest parasitic miners stealing cycles. File integrity monitoring and periodic scanning for known miner binaries or YARA rules complement behavioral checks. Endpoint detection tools that capture process ancestry and suspicious persistence mechanisms such as modified scheduled tasks or injected DLLs expose lateral footholds researchers have observed.
Network and fleet-level telemetry
Cryptominers must reach a pool or proxy; network telemetry is therefore vital. Monitoring for Stratum protocol handshakes, unusual outbound TCP connections to unfamiliar endpoints, and spikes in TLS sessions to mining hostnames can highlight compromised hosts. Aggregating telemetry in a SIEM and correlating with threat intelligence feeds refines detection: reputation lists and observed indicators from vendors speed triage. SIEM correlation and anomaly detection models detect cohort-wide patterns such as synchronized connection attempts or simultaneous drops in reported local hash rates that are often invisible when examining a single node.
Human, cultural, and environmental nuances matter: miners operating in regions with low electricity costs may tolerate higher baseline consumption, so regional baselines are necessary to avoid false positives. Conversely, unexpected energy consumption affects operating margins and creates environmental impacts through increased carbon emissions, making timely detection both an economic and ecological priority.
Response hinges on validated detection: isolate affected hosts, preserve forensic artifacts, and remediate persistence. Continuous improvement of detection comes from combining vendor research with internal telemetry and incident learnings. Drawing on published analyses by trusted vendors like ESET and Kaspersky guides prioritized controls, while fleet-wide observability and rigorous baselining form the practical foundation for detecting cryptojacking before it causes reputational, financial, or operational harm.