A global threat report has concluded that the three most common malware variants detected in April were crypto miners, according to a news release on May 14.

Check Point Research said Cryptoloot, malware that uses the victim’s computing power to mine for crypto without their knowledge, was last month’s biggest threat. XMRig, open-source software which is used for mining monero (XMR), was in second place. Rounding off the top three was JSEcoin, a JavaScript miner embedded in websites.

Despite their prevalence, the company’s researchers believe that criminals are shifting their focus away from crypto mining. Several popular services used to target unsuspecting computer users, such as Coinhive, have closed. In addition, the collapse in crypto prices at the start of the year meant other strategies were more lucrative.

According to Check Point, multi-purpose trojans are on the rise — with its experts warning this is concerning because of how they steal private data and target databases and backup servers with ransomware demanding up to $1 million.

Maya Horowitz, the company’s threat intelligence and research director, said:

“As these malware constantly morph, it is crucial to have a robust line of defense against them with advanced threat prevention.”

Last month, American software company Symantec detected a spike in a new crypto mining malware, Beapy, that targets enterprises. Beapy is reportedly spread through malicious emails, and according to researchers, its file-based approach to cryptojacking is considerably more profitable for hackers than browser-based tools.

Also in April, two Romanian cybercriminals were convicted in the United States of spreading malware to steal credit card details and illicitly mine crypto.