Interesting watering-hole web attack here
Given that all the code has to do is run on a thread on the same core, I'd be interested to see whether one could use JITted Javascript in a browser window as the snooping code. Works fine inside a sandbox - it's only doing compute, after all, so there's nothing for the sandbox to stop. Just leave it running in the window, and see if you happen to strike gold with a crypto key.
Bonus points if you can use a spear-phishing or watering hole attack to do this on the browser of the sysadmin of an organisation you're targeting.
Biting the hand that feeds IT
