Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Malware & Threats

New Attack Runs Code After Closing Browser Tab

A group of researchers has discovered that websites can abuse modern browser APIs to persistently abuse browser resources for nefarious operations even after their tabs or windows have been closed. 

A group of researchers has discovered that websites can abuse modern browser APIs to persistently abuse browser resources for nefarious operations even after their tabs or windows have been closed. 

To demonstrate the attack, researchers from FORTH (Foundation for Research and Technology), Greece, and Stony Brook University, U.S., built MarioNet, a framework that allows a malicious third party to control the visitor’s browser for cryptocurrency mining, password-cracking, and distributed denial of service (DDoS) attacks. 

In a paper (PDF) detailing the attack, the researchers explain that MarioNet relies solely on already available HTML5 APIs and that it does not require the installation of additional software. This also means that it can be used on all major browsers. 

The attack is both persistent and stealthy, as it continues in the background of the browser even after the user closes the window or tab of the malicious website. However, it cannot survive browser reboots. 

“MarioNet goes beyond existing approaches and demonstrates how malicious publishers can launch persistent and stealthy attacks. This is possible by allowing malicious actors to continue having control of the victim’s browser even after the user browses away from a malicious or infected website, and by bypassing most of the existing in-browser detection mechanisms,” the paper reads. 

The framework has two main parts, namely an in-browser component and a remote command and control system. Unlike typical botnets, MarioNet doesn’t exploit implementation flaws on the target system, but relies on JavaScript capabilities and HTML5 APIs, which makes it compatible with most desktop and mobile browsers. 

Courtesy of isolation from the visited website, the system allows fine-grained control of the utilized resources and can continue its operation in the background even after the parent tab was closed, thus achieving persistence. Moreover, it can avoid detection by browser extensions that try to monitor the webpage’s activity or outgoing communication, the researchers note. 

Advertisement. Scroll to continue reading.

Possible defense mechanisms include restricting or disabling service workers, or restricting the browser from fetching and deploying service workers, or requiring the user’s permission for the registration and activation of a service worker. Signature-based detection and behavioral analysis and anomaly detection systems should also prevent such attacks. 

The attack can be launched through malicious websites, compromised domains, and through dynamic content in iframes, meaning that it is actually easy for an attacker to leverage it, the researchers say. 

“Essentially, our work demonstrates that the trust model of web, which considers web publishers as trusted and allows them to execute code on the client-side without any restrictions is flawed and needs reconsideration,” the paper reads. 

Related: Websites Can Exploit Browser Extensions to Steal User Data

Related: Ad Network Performs In-Browser Cryptojacking

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...