GoKawiilMicrosoft has uncovered an ongoing cryptojacking campaign that used SEO poisoning and, in some observed cases, AI chatbot-generated software recommendations to lure users into downloading GPU mining malware disguised as popular PC utilities. According to a detailed threat report published Tuesday by Microsoft Defender Experts and the Microsoft Defender Security Research Team, the operation specifically targeted users who likely own high-performance graphics cards, including gamers, hardware enthusiasts, AI users, and overclockers.
The campaign impersonated widely used utilities such as CrystalDiskInfo, HWMonitor, Display Driver Uninstaller (DDU), FurMark, K-Lite Codec Pack, and PDFgear. Victims searching for the software on traditional search engines — and, in some cases, via AI chatbot recommendations — were reportedly redirected to attacker-controlled download pages hosting malicious ZIP archives.
Microsoft says the attackers appear less interested in maximizing infection volume and more focused on compromising systems with powerful discrete GPUs suitable for profitable cryptocurrency mining. Once installed, the malware deployed persistent remote-access software using the legitimate ScreenConnect remote-management tool before silently loading GPU mining payloads such as lolMiner, gminer, and SRBMiner-MULTI.
Latest Videos From
The attack chain relied heavily on stealth techniques typically associated with more advanced malware operations. The downloaded archives bundled legitimate software installers alongside malicious DLLs that were automatically loaded through DLL sideloading. From there, the malware established six separate persistence mechanisms, added Microsoft Defender exclusions, checked for virtual machines and security-analysis tools, and used process hollowing to inject mining code into trusted Microsoft-signed .NET utilities such as MSBuild.exe, InstallUtil.exe, and RegAsm.exe.
Perhaps the most unusual aspect of the campaign, however, is Microsoft’s observation that some malicious domains may have surfaced through interactions with AI chatbots. According to the company, users requesting software download recommendations from large language model (LLM)-based assistants were, in some cases, presented with links to attacker-controlled domains embedded in generated responses. Microsoft stressed that the example was illustrative and “does not indicate a systemic issue with any specific AI service,” but noted that the activity appears consistent with emerging AI-assisted search-poisoning techniques.
According to Microsoft’s analysis, the operation has been active since at least March 2026 and involved more than 150 malicious domains masquerading as trusted utility-download portals. Many of the downloads were hosted on subdomains of gleeze.com, infrastructure linked to the Dynu dynamic DNS service, which has frequently been used in past phishing and malware campaigns.
The initial infection process itself was deceptively simple. Victims downloaded ZIP archives containing both the legitimate utility executable and a malicious DLL named autorun.dll. When the legitimate application launched, Windows automatically loaded the malicious DLL from the same directory via DLL sideloading — a long-standing Windows abuse technique that requires no software exploit and often produces no visible signs of compromise.
Stay On the Cutting Edge: Get the Tom's Hardware Newsletter Get Tom's Hardware's best news and in-depth reviews, straight to your inbox. Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors
From there, the malware silently installed ScreenConnect, a legitimate enterprise remote-management platform also known as ConnectWise Control. Microsoft emphasized that ScreenConnect itself is not malicious, but rather is being abused by threat actors in the same way attackers increasingly misuse legitimate remote monitoring and management (RMM) tools to evade security scrutiny.
... continue reading