Unveiling a Widespread Cryptojacking Scheme
Microsoft has revealed an extensive cryptojacking initiative, cunningly leveraging SEO poisoning techniques and, in some instances, software recommendations generated by AI chatbots.
This insidious campaign entices users to download GPU mining malware, masquerading as commonly used PC utilities.
A comprehensive threat analysis published by Microsoft Defender Experts and the Microsoft Defender Security Research Team on Tuesday details these operations that specifically target individuals equipped with high-performance graphics cards—such as gamers, hardware aficionados, AI developers, and overclocking enthusiasts.
The perpetrators of this campaign have adopted the identities of multiple widely utilized utilities, including CrystalDiskInfo, HWMonitor, Display Driver Uninstaller (DDU), FurMark, K-Lite Codec Pack, and PDFgear.
Victims, fervently searching for these applications on conventional search engines or through AI-generated chatbot suggestions, were often redirected to malicious download portals controlled by the attackers. These portals hosted deceptive ZIP files containing the mining malware.
Microsoft observes that the attackers prioritize the compromise of systems hosting potent discrete GPUs over the maximization of infection rates.
Once the malware infiltrates the system, it deploys persistent remote-access utilities utilizing the legitimate ScreenConnect management tool, stealthily initiating GPU mining operations with payloads such as lolMiner, gminer, and SRBMiner-MULTI.
Stealthy Infection Techniques
This operational chain employed stealth tactics associated with advanced malware strategies. The malicious ZIP archives were cunningly bundled with legitimate software installers alongside harmful DLLs, which were then automatically activated via DLL sideloading.
Subsequently, the malware established six avenues for persistence, created Microsoft Defender exclusions, scrutinized environments for virtual machines and security analysis tools, and executed process hollowing to inject mining scripts into trusted Microsoft-signed .NET utilities, including MSBuild.exe, InstallUtil.exe, and RegAsm.exe.
Perhaps most intriguingly, Microsoft noted that specific malicious domains might have materialized from interactions with AI chatbots.
Users soliciting software suggestions from large language model (LLM)-driven assistants occasionally received links directing them to attacker-controlled domains embedded in generated replies.
While Microsoft emphasized that this indicates no overarching flaw in AI services, it highlights a concerning trend in AI-assisted search-poisoning techniques.
The Scope of the Campaign
According to Microsoft’s investigations, the operation has been active since at least March 2026, encompassing over 150 malicious domains that posed as reliable utility download sites.
Many downloads were located on subdomains of gleeze.com—an infrastructure previously linked to numerous phishing and malware schemes.
Remarkably, the initial infection process was deceptively straightforward. Victims downloaded ZIP files containing both the legitimate utility executable and a nefarious DLL dubbed autorun.dll.
Upon launching the legitimate application, Windows automatically loaded the malevolent DLL from the same directory via the DLL sideloading technique, a longstanding Windows vulnerability that eludes detection and does not require complex exploits.
Exploitation of Remote Management Tools
Following successful infiltration, the malware clandestinely installed ScreenConnect, an authentic enterprise remote-management solution also identified as ConnectWise Control.
Notably, ScreenConnect itself remains a legitimate tool, albeit exploited by malicious actors, mirroring the increasing tendency of attackers to misuse genuine remote monitoring and management (RMM) instruments for evading detection.
Upon establishing remote access, the attackers introduced a binary known as SimpleRunPE.exe, believed by Microsoft to be derived partly from a publicly accessible GitHub proof-of-concept that illustrates process hollowing techniques.
The malware replicated itself into concealed Windows directories as RuntimeHost.exe and maneuvered to create scheduled tasks along with startup entries for assurance of persistence.
It also incessantly re-established Microsoft Defender exclusions, even after users or administrators endeavored to eliminate them.
Engineered with meticulous attention to stealth, the malware was designed to circumvent detection by performance-oriented PC users.
Microsoft reports that it monitored GPU activity, system idle states, gaming operations, and streaming tasks, ceasing mining operations whenever substantial GPU loads were identified.
This cunning design likely minimized conspicuous warning signs such as abrupt frame-rate declines, overheating, or the fervent noise of GPU fans—signals that could draw a user’s attention to possible compromise.
Advanced Countermeasures
To further bolster its evasion tactics, the malware executed extensive anti-analysis assessments prior to activation.
It scanned systems for artifacts indicative of virtual machines, debugging tools, reverse-engineering frameworks, packet analyzers, and forensic utilities, including Wireshark, ProcMon, x64dbg, dnSpy, IDA, and Ghidra. The presence of any such tools precipitated the self-termination of the malware.
Ultimately, the operators utilized the compromised systems to deploy various GPU-centric cryptocurrency miners, such as lolMiner, gminer, and SRBMiner-MULTI.
Instead of embedding these miners into the malware directly, the payload dynamically fetched the most suitable mining software after an exhaustive reconnaissance of the infected system, encompassing details such as GPU type, CPU capabilities, installed antivirus software, memory setup, and overall system activity.
Implications for Cybersecurity
This campaign underscores a disconcerting evolution wherein attackers are expanding their focus beyond traditional search engines to include AI-assisted discovery mechanisms.
While SEO poisoning has been a persistent challenge, the proliferation of AI chatbots and LLM-powered assistants for software recommendations appears to be opening a new attack front, granting malicious sites augmented visibility through AI-generated responses.
Users must exercise heightened vigilance, recognizing that even extensively familiar utilities obtained from seemingly reliable websites may harbor concealed malware, particularly when sourced from third-party mirrors or AI-provided links rather than official vendor domains.
Source link: Tomshardware.com.
