Advanced Cryptojacking Campaign: Leveraging SEO Poisoning and AI Chatbots to Target High-Performance GPUs

Cybersecurity researchers have identified a sophisticated cryptojacking operation that marks an evolution in delivery methods. While traditional search engine poisoning remains a staple, this campaign has begun exploiting Large Language Models (LLMs), where AI chatbots are being manipulated into recommending malicious, attacker-controlled download sites to unsuspecting users.The campaign specifically targets enthusiasts and professionals with high-performance hardware. Threat actors are deploying lookalike domains to impersonate widely used system utilities, including CrystalDiskInfo, HWMonitor, Display Driver Uninstaller (DDU), FurMark, K-Lite Codec Pack, and PDFgear.

Rather than attempting a “spray and pray” mass infection, this operation is highly optimized. By targeting high-end GPU owners, the attackers maximize their mining profitability per infected host. Furthermore, the campaign establishes deep persistence through abused ScreenConnect (ConnectWise Control) deployments, providing a foothold that could easily be repurposed for lateral movement, data exfiltration, or ransomware deployment.

The Attack Lifecycle: From SEO to LLM Manipulation

The infection chain typically begins with a user searching for a specific hardware utility. Through SEO poisoning, manipulated search results direct users to malicious domains. Most alarmingly, Microsoft observed instances in early 2026 where AI chatbots surfaced these same malicious links, effectively extending the reach of social engineering into the realm of AI-assisted interactions.

Microsoft Defender Experts have detailed how these domains are often hosted on subdomains of gleeze[.]com, utilizing dynamic DNS infrastructure frequently associated with malicious activity.

Technical Execution: DLL Sideloading and Persistence

The payload is delivered via a ZIP archive containing two primary files: a legitimate executable for the spoofed utility and a malicious DLL named autorun.dll. This setup leverages DLL sideloading; when the user launches the legitimate application, it inadvertently loads the malicious DLL, executing the attacker’s code without triggering immediate suspicion.

Once active, autorun.dll invokes msiexec.exe to silently install a secondary payload disguised as a Visual C++ redistributable (vcredist_x64.dll). This payload is actually a ScreenConnect client configured to establish a reverse connection to the attacker’s Command and Control (C2) infrastructure.

Using the legitimate remote management capabilities of ScreenConnect, operators can drop a SimpleRunPE binary. This tool, a variant of a known process-hollowing project, installs itself as RuntimeHost.exe within a hidden directory (identified by the campaign tag D3F4E2A1). To ensure it survives a reboot, the malware configures an aggressive persistence profile consisting of three scheduled tasks, two registry Run keys, and a Startup shortcut.

Evasion and Stealth Techniques

To remain undetected, the malware employs Process Hollowing. It launches a trusted Microsoft-signed .NET utility (such as InstallUtil.exe, RegAsm.exe, or MSBuild.exe) in a suspended state. It then uses low-level API calls—specifically WriteProcessMemory, SetThreadContext, and ResumeThread—to replace the legitimate code in memory with its own malicious instructions.

Additional defensive measures include:

• Anti-Analysis: The malware performs VM detection and checks for the presence of debugger/analyst tools.
• Defender Evasion: The actors programmatically register Microsoft Defender exclusions for specific paths and processes used during mining.
• C2 Security: The malware utilizes certificate pinning for its WebSocket C2 connection at wss[:]//minemine.gleeze[.]com:8443/ws.
• Intelligent Mining: The modular loader fetches miners like gminer, lolMiner, or SRBMiner-MULTI. Crucially, the malware monitors host activity; if it detects high GPU usage or user interaction, it pauses mining to avoid causing performance lag that would alert the user.

Mitigation and Defense Strategies

Microsoft’s telemetry has linked this campaign to over 150 malicious domains. Organizations can defend against this threat by implementing the following controls:

• Enable Cloud-Delivered Protection: Ensures real-time updates against rapidly changing malicious signatures.
• Enforce Attack Surface Reduction (ASR) Rules: Specifically, rules that block unknown executables and suspicious process creations.
• Implement Network/Web Protection: Utilize EDR and web gateways to block communication with known malicious C2 infrastructure.
• User Awareness: Educate staff to verify the legitimacy of software downloads and to treat links provided by AI chatbots with the same scrutiny as search engine results.

Indicators of Compromise (IOCs)

Note: IP addresses and domains are defanged (e.g., [.]) to prevent accidental execution. Re-fang only within secure threat intelligence platforms (SIEM, MISP, etc.).