GPU mining – Microsoft researchers say a cryptojacking campaign is luring users with SEO-poisoned download links for common utilities and, in some cases, steering them through AI chatbot recommendations. Once installed, the attackers use ScreenConnect for persistent remote
The first step in this cryptojacking campaign looks almost ordinary: people search for utility software, click what appears to be the right download, and move on with their day. What follows is anything but.
Microsoft researchers describe an ongoing GPU mining campaign that reaches victims through a coordinated SEO poisoning operation. Users searching for high-performance-system tools are shown malicious links boosted in search rankings. and some victims are then directed to attacker-controlled domains after interacting with AI-based assistants.
The traps are disguised as downloads for utilities typically installed on powerful systems. Microsoft lists CrystalDiskInfo. HWMonitor. Display Driver Uninstaller. FurMark. K-Lite Codec Pack. and PDFgear as examples of the software categories being targeted. Compromise starts when users look for one of these utilities and are presented with links that lead to malicious download pages.
In the cases tied to AI chatbot usage, the pattern shifts without changing the outcome. Microsoft says users querying AI chatbots for software download recommendations were presented with links to attacker-controlled domains within generated responses.
The malicious download itself is a ZIP archive hosted on a subdomain at gleeze[.]com. a domain that Microsoft notes has been flagged in the past for association with phishing websites. Inside the archive. the attackers include the legitimate executable for the targeted utility alongside a malicious DLL designed to be automatically loaded when launching the benign binary.
That DLL then pulls the next thread: Microsoft says it uses msiexec.exe to install vcredist_x64.dll. which acts as a package installer for the ScreenConnect remote access tool. Once ScreenConnect is installed and a remote session is established with the compromised client. Microsoft says the attacker gains persistent access and can later use that access to install additional malware.
At that point, the campaign moves from access to persistence. Microsoft describes a follow-on binary named SimpleRunPE.exe, which copies itself as RuntimeHost.exe into a folder hidden in Explorer. Its stated goal is to establish “six persistence mechanisms across multiple Windows autostart locations.” In some cases. Microsoft says the binary is delivered through a malicious PowerShell script and saved locally as vlc.exe—an impersonation attempt aimed at the popular VideoLAN multimedia player.
The stealth strategy gets more specific after that. Based on the malware’s Program Database (PDB) path. Microsoft believes SimpleRunPE.exe is a fork of a public repository used to demonstrate process hollowing. The attackers use this technique to hide inside legitimate .NET binaries that are signed by Microsoft. including InstallUtil.exe. RegAsm.exe. RegSvcs.exe. MSBuild.exe. AppLaunch.exe. AddInProcess.exe. aspnet_compiler.exe.
Microsoft also says the malicious binary invokes PowerShell to add its path and process to the exclusion list in Microsoft Defender. and that it checks the environment for virtual machines and for a set of 40 process names associated with analysis tools. If the malware detects that it’s running in a monitored environment, it terminates execution.
When the process hollowing stage succeeds and the malware is running inside a Microsoft-signed Windows utility, the campaign’s payoff arrives: one of three GPU mining modules is downloaded and executed. Microsoft says the supported mining programs are gminer, lolMiner, and SRBMiner-MULTI.
Microsoft frames the campaign’s design as deliberate rather than opportunistic, saying the cryptomining operation stands out for its “targeting and monetization strategy engineered from the ground up to maximize GPU mining yield per compromised device,” instead of pursuing high volume.
For organizations looking to defend against it. Microsoft notes that tools provided by Microsoft can help. and it also points to indicators of compromise included in the report. The core problem, though, is easy to feel in hindsight: people aren’t being hit by an obvious “hack” moment. They’re being redirected—first by search results and. in some cases. by AI chatbot recommendations—toward software downloads that turn out to be the first door into their systems’ GPU power.
GPU mining malware cryptojacking SEO poisoning AI chatbots ScreenConnect process hollowing Microsoft Defender gminer lolMiner SRBMiner-MULTI gleeze[.]com
So basically don’t click downloads? Kinda obvious.
I swear the search results are getting worse. Like you type the name of a program and it’s the same junk sites every time. Also AI chatbots telling you where to download sounds like the dumbest thing ever.
Wait, ScreenConnect?? Isn’t that for IT people like remote help desks? So they just steal your GPU and then remote into you? This is why I don’t trust any “utility” link. I’m not even searching for GPU stuff and I still get sketchy download pages pop up sometimes.
The part about AI chatbots is scary but also it sounds like the chatbot is getting blamed for what search engines did. Like people are searching anyway, right? I also saw that K-Lite Codec Pack and PDFgear are mentioned and those sites are always kinda weird, so maybe it was coming from that whole codec era. If the ZIP has a legit exe and a bad DLL, then Windows just lets it run like normal?? Microsoft should’ve blocked ScreenConnect installs automatically or something.