Microsoft has warned of an active cryptojacking campaign that uses artificial intelligence (AI) chatbot interactions as a mechanism to display malicious download sites.
“This new delivery technology extends social engineering beyond traditional search results and increases the visibility of malicious software recommendations,” Microsoft Defender Experts and the Microsoft Defender Security Research Team said in a report published Tuesday.
According to the tech giant, the activity impersonates legitimate system utilities such as CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, and PDFgear, and is likely targeting users with high-performance GPUs. The idea is to focus on compromising systems with high mining value rather than infecting large numbers of machines indiscriminately.
The purpose of the campaign is not just financial motivation. We have also found that threat actors can establish persistent remote access to compromised hosts through ScreenConnect deployments, which can be exploited for subsequent activities such as data theft, lateral movement, and ransomware.
This attack chain is more planned than other typical cryptocurrency mining efforts, strategically choosing endpoints that help maximize GPU mining yield per compromised device. The Windows maker said it detected and blocked activity related to the campaign.
It all starts when users search for reliable system utilities and hardware monitoring software in search engines. Search Engine Optimization (SEO) You’ll see malicious sites fooled by techniques such as poisoning. A subsequent iteration observed in April 2026 indicates that users are being directed to these sites through interaction with large-scale language model (LLM)-based tools rather than through search engine results.
“In these cases, users who asked the AI chatbot for software download recommendations were provided a link to an attacker-controlled domain in the generated response,” Microsoft said. “While this behavior is based on data sources correlating with observed patterns, it is consistent with emerging techniques in AI search result poisoning and represents an extension of traditional SEO poisoning beyond traditional search engines.”
Each of these sites includes a prominent download button that retrieves a ZIP archive from a campaign-specific gleeze subdomain.[.]com is hosted by infrastructure associated with Dynu, a dynamic DNS provider frequently used by threat actors. Over 150 malicious domains have been identified that provide malicious tools.
The downloaded ZIP file contains a legitimate executable file and a malicious DLL (‘autorun.dll’) that is sideloaded when the user launches the binary. This DLL is designed to install a second malicious DLL named ‘vcredist_x64.dll’ using ‘msiexec.exe’. This file is a packaged installer for the ScreenConnect software.
Once ScreenConnect is installed, the client will continually attempt to establish a connection with the attacker-controlled server at 193.42.11.[.]108.” The ScreenConnect session acts as a conduit for an executable file called “SimpleRunPE.exe.”
This binary is responsible for establishing persistence on the host using registry execution keys and scheduled tasks, configuring Microsoft Defender exclusions, performing anti-analysis checks, and employing process haloing to launch mining code with trusted Microsoft-signed binaries.
Rather than relying on ScreenConnect’s file transfer functionality to drop the binary, some compromises use a PowerShell script to fetch the binary from a remote drive, store it locally as “vlc.exe” to keep it unobtrusive, create a scheduled task to launch it, and then delete itself.
The haloed binary, on the other hand, communicates with the attacker’s server, sends extensive host information, and downloads and executes the appropriate miner archive at runtime. The malware supports three minor programs: gminer, lolMiner, and SRBMiner-MULTI.
In addition, the binary recreates persistence artifacts to ensure continued existence and reconfigures Defender exclusions if deleted. It also keeps an eye on running processes and immediately terminates the miner if it detects any of the following processes:
taskmgr.exe (Windows Task Manager) processhacker.exe, processhacker2.exe (Process Hacker) procexp.exe, procexp64.exe (Process Explorer) systeminformer.exe (System Informer)
“This combination of AI-assisted delivery, software impersonation, and persistent access highlights how threat actors are adapting their social engineering and monetization strategies to modern user behavior,” Microsoft said.
This disclosure comes days after Microsoft detailed how an unknown attacker compromised an Internet-facing F5 BIG-IP firewall appliance and exploited trust relationships to relocate to an internal Linux host, highlighting the continued exploitation of Internet-facing edge appliances as initial access points.
The company said the Linux host allowed the attackers to perform comprehensive reconnaissance and move laterally to vulnerable Atlassian Confluence servers, but attempts to execute remote code via an unpatched security flaw in the software failed.
As a way to circumvent these limitations, the attackers allegedly used Python’s ftplib module to set up an FTP server on the initial Linux host, transfer a custom scanning tool to the Confluence server, and then obtain credentials to authenticate to the Windows infrastructure. This was followed by a Kerberos relay attack and exploitation of CVE-2025-33073.
“From there, the attackers compromised the vulnerable SaaS application and abused its credentials to perform relay-style authentication attacks against Active Directory,” the report said.
“In this incident, the threat actor used a privileged account to authenticate to the Linux server via SSH. The threat actor maintained this level of access throughout the observed activity without establishing an explicit persistence mechanism. This highlighted the risk posed by over-privileged identities with sudo privileges.”
Earlier this month, Microsoft also disclosed another intrusion in which attackers exploited trusted operational relationships and authentication processes to establish persistent access, leveraging compromised third-party IT service providers and legitimate IT management tools to orchestrate covert campaigns focused on long-term access and credential theft.
“Third-party service providers and integrated management tools can become enforcement gaps when visibility is limited or verification is assumed. Threat actors understand this,” Redmond said. “They leverage legitimate components, reliable update paths, and approved integrations to entrench themselves within environments that appear compliant on the surface.”
“Defenders should adopt an attitude of intentional validation. Trust vendors and tools, but verify their behavior within the environment. Organizations operating in sensitive sectors should assume that threat actors with this level of sophistication will continue to refine third-party exploitation, credential interception, and stealth persistence mechanisms to maintain strategic access.”
Source link
