Crypto-mining malware is draining enterprises’ CPU power with an estimated 23% of organizations globally being affected by the Coinhive variant during January 2018, according to Check Point’s latest Global Threat Impact index.

Researchers of the firm discovered three different variants of crypto-mining malware in its top 10 most prevalent threat with Coinhive ranking first. Other crypto-miner malware that made the list include JSEcoin ranked fifth, and Cryptoloot ranked eighth. The firm claims more than one-in-five organizations around the world had been affected by the Coinhive variant last month.

Crypto-mining malware refers to cybercriminals hijacking the victim’s CPU or GPU power and existing resources to mine cryptocurrency. In the case of Coinhive malware, the implanted Javascript uses great computational resources of the end user’s machine, thus negatively affecting the performance of the system.

Some crypto-miners have been intentionally injected into several top websites, mostly media streaming and file sharing services. Since last week, media outlet Salon has been presenting visitors using an ad-blocker with a popup window offering two options: disable the blocker or choose a “suppress ads” option, which the site explains if selected will allow “Salon to use your unused computing power.” According to Cyberscoop, Salon uses Coinhive to mine the cryptocurrency Monero.

While some of this activity is legal and legitimate, the tools can be hacked to dominate more power and generate more revenue, using as much as 65% of the end user’s CPU power.

Crypto-mining malware is “particularly challenging to protect against, as it is often hidden in websites, enabling hackers to use unsuspecting victims to tap into the huge CPU resource that many enterprises have available,” said Maya Horowitz, Threat Intelligence Group Manager at Check Point.

“Over the past three months cryptomining malware has steadily become an increasing threat to organizations, as criminals have found it to be a lucrative revenue stream.”

The increasing popularity and value of cryptocurrencies have led to a significant increase in the distribution of crypto-mining malware.

Russian cybersecurity firm Kaspersky Lab reported last week that a vulnerability in the desktop version Telegram’s messaging app had been exploited to turn computers into crypto-miners.

The zero-day exploit was used to trick Telegram users into downloading malicious files, which would then be used to deliver crypto-mining software and spyware. According to the firm, the vulnerability has been actively exploited since March 2017 to mine cryptocurrencies that include Monero and Zcash.

Earlier this month, hackers infected thousands of websites, including ones run by US and UK government agencies, with crypto-mining malware. The attack, noticed by security researcher Scott Helme, was pulled off by compromising a fairly popular plugin used by all the affected sites called Browsealoud.

Browsealoud is a suite of accessibility and translation tools developed by UK firm Texthelp. The plugin was edited by attackers to embed a script that uses visitors’ computers to mine Monero, according to Helme.