Anyway, the mining stops as soon as the user closes the window or browses to another site, but some unscrupulous websites have found a way to keep the juice flowing even after the window has been closed. By launching the Monero cryptocurrency miner in a pop-under window, the mining job can run for a much longer time as many users will not notice it.
The pop-under hides under the Windows taskbar, behind the clock, and it uses throttling to ensure it doesn't max out the CPU as that could raise suspicion from users.
Malwarebytes Lead Malware Intelligence Analyst Jérôme Segura wrote:At the moment, it seems this new technique is exclusive used against users that run Chrome on Windows 7 and Windows 10.
This type of pop-under is designed to bypass adblockers and is a lot harder to identify because of how cleverly it hides itself. Closing the browser using the “X” is no longer sufficient. The more technical users will want to run Task Manager to ensure there is no remnant running browser processes and terminate them. Alternatively, the taskbar will still show the browser’s icon with slight highlighting, indicating that it is still running.