New ‘MarioNet’ browser attack lets hackers run bad code even after users leave a web page

“Academics from Greece have devised a new browser-based attack that can allow hackers to run malicious code inside users’ browsers even after users have closed or navigated away from the web page on which they got infected,” Catalin Cimpanu reports for ZDNet. “This new attack, called MarioNet, opens the door for assembling giant botnets from users’ browsers. These botnets can be used for in-browser crypto-mining (cryptojacking), DDoS attacks, malicious files hosting/sharing, distributed password cracking, creating proxy networks, advertising click-fraud, and traffic stats boosting, researchers said.”

“MarioNet can survive after users close the browser tab or move away from the website hosting the malicious code” Cimpanu reports. “This is possible because modern web browsers now support a new API called Service Workers.”

“A service worker, once registered and activated, can live and run in the page’s background, without requiring the user to continue browsing through the site that loaded the service worker,” Cimpanu reports. “The attack routine consists of registering a service worker when the user lands on an attacker-controlled website and then abusing the Service Worker SyncManager interface to keep the service worker alive after the user navigates away. Because Service Workers have been introduced a few years back, the MarioNet attack also works in almost all desktop and mobile browsers.”

Read more in the full article here.

MacDailyNews Note: In their research paper, the academics also describe methods through which MarioNet could avoid detected by anti-malware browser extensions and anti-mining countermeasures, and also puts forward several mitigations that browser makers could take.


  1. I sugges, as always, the first thing you should do is create a standard, non-admin account for daily use to at least mitigate some of the damage malicious attacks can cause.


    Abstract—The proliferation of web applications has essentially transformed modern browsers into small but powerful operating systems. Upon visiting a website, user devices run implicitly trusted script code, the execution of which is confined within the browser to prevent any interference with the user’s system. Recent JavaScript APIs, however, provide advanced capabilities that not only enable feature-rich web applications, but also allow attackers to perform malicious operations despite the confined nature of JavaScript code execution.
    In this paper, we demonstrate the powerful capabilities that modern browser APIs provide to attackers by presenting MarioNet: a framework that allows a remote malicious entity to control a visitor’s browser and abuse its resources for unwanted computation or harmful operations, such as cryptocurrency mining, password-cracking, and DDoS. MarioNet relies solely on already available HTML5 APIs, without requiring the installation of any additional software. In contrast to previous browser- based botnets, the persistence and stealthiness characteristics of MarioNet allow the malicious computations to continue in the background of the browser even after the user closes the window or tab of the initially visited malicious website. We present the design, implementation, and evaluation of our prototype system, which is compatible with all major browsers, and discuss potential defense strategies to counter the threat of such persistent in- browser attacks. Our main goal is to raise awareness about this new class of attacks, and inform the design of future browser APIs so that they provide a more secure client-side environment for web applications.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.