Back

Cryptojacking Campaign Exploits AI Chatbots to Target High-Performance PCs

Severity: High (Score: 71.0)

Sources: Bleepingcomputer, github.com, Feeds2.Feedburner, Kucoin, Cybersecuritynews

Published: 2026-05-27 · Updated: 2026-05-27

Keywords: chatbot, cryptojacking, campaign, recommendations, users, malware, sites

Severity indicators: ot, malware

Summary

Microsoft has reported a new cryptojacking campaign that leverages AI chatbots to direct users to malicious download sites masquerading as trusted software. The campaign specifically targets high-performance PC users, including gamers and hardware enthusiasts, by impersonating popular utilities like CrystalDiskInfo and HWMonitor. Attackers utilize SEO poisoning techniques to embed malicious links in chatbot responses, leading users to phishing sites. Once downloaded, the malware employs DLL side-loading and other evasion tactics to maintain persistent control over compromised devices. Microsoft Defender has detected and blocked activities associated with this campaign, urging users to be cautious when relying on AI for software recommendations. The campaign highlights significant vulnerabilities in AI response generation and the potential for malicious exploitation. Organizations are advised to implement robust security measures to mitigate risks. Key Points: • AI chatbots are being exploited to direct users to malicious software download sites. • The campaign targets high-performance PC users, focusing on maximizing GPU resources for cryptojacking. • Microsoft Defender has identified and blocked activities related to this cryptojacking campaign.

Detailed Analysis

**Impact** High-performance PC users, including hardware enthusiasts and gamers, are targeted due to their systems’ valuable GPU resources for cryptocurrency mining. The campaign affects primarily individual users globally, with no specific geographic concentration reported. Compromised systems face unauthorized cryptocurrency mining, persistent remote access enabling data theft, lateral movement, and potential ransomware deployment. The campaign’s focus on high-end PCs limits infection volume but increases operational impact per device. **Technical Details** Attackers exploit AI chatbot result poisoning and SEO poisoning to redirect users to phishing sites hosting malicious ZIP archives disguised as trusted utilities such as CrystalDiskInfo, HWMonitor, FurMark, and others. The malware uses DLL side-loading and process hollowing to inject mining code into legitimate Windows processes, evading detection. Persistent access is maintained via abused ScreenConnect remote management tools. The malware monitors GPU usage and user activity to pause mining during active use and employs PowerShell commands to add exclusions to antivirus software. No specific CVEs were mentioned. Indicators of compromise include malicious domains linked to AI chatbot referrals and ZIP archives containing mining payloads. **Recommended Response** Enable cloud-delivered protection and run Endpoint Detection and Response (EDR) in block mode. Apply attack surface reduction rules and monitor for unusual ScreenConnect deployments. Restrict PowerShell execution and audit exclusions added to antivirus configurations. Advise users to download software only from official sources and avoid AI chatbot recommendations for software downloads. Monitor for suspicious network traffic to newly registered domains and phishing sites associated with the campaign.

Source articles (7)

  • Hackers Abuse AI Chatbot Recommendations to Push Malicious Software Download Links — Cybersecuritynews · 2026-05-27
    Hackers are finding new ways to trick people into downloading malware, and this time, they are hiding behind tools many of us have come to trust. A newly uncovered cryptojacking campaign is abusing AI…
  • AI chatbots help hackers target PC users with malicious downloads — Overclock3D · 2026-05-27
    Microsoft has confirmed that AI Chatbots are now serving malicious/fake downloads for trusted PC utilities like CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, and…
  • Microsoft Warns of New Mining Malware Targeting High-Performance PC Users — Kucoin · 2026-05-27
    Microsoft has revealed that a new wave of cryptocurrency mining attacks is targeting high-performance computer users, particularly hardware enthusiasts and PC gamers. Unlike attacks that sought large-…
  • AI chatbot recommendations lure users to cryptojacking malware sites — Feeds2.Feedburner · 2026-05-27
    Cybercriminals are using AI chatbot interactions alongside poisoned results to direct users to malicious download sites in an active cryptojacking campaign, Microsoft has warned. The campaign imperson…
  • GPU mining malware spreads via SEO poisoning, AI chatbots — Bleepingcomputer · 2026-05-27
    Threat actors are targeting systems with high-performance computers in an ongoing cryptojacking campaign spread through a coordinated SEO poisoning operation that also manipulated AI chatbot recommend…
  • Microsoft Defender — www.microsoft.com · 2026-05-27
  • Simple Run PE Process Hollowing — github.com · 2026-05-27

Timeline

  • 2026-05-27 — Microsoft warns of AI chatbot exploitation: Microsoft revealed that AI chatbots are being used to redirect users to malicious download sites for cryptojacking.
  • 2026-05-27 — Malware impersonates trusted software: The cryptojacking campaign impersonates legitimate tools like CrystalDiskInfo and HWMonitor to deceive users.
  • 2026-05-27 — Microsoft Defender detects cryptojacking activity: Microsoft Defender has identified and blocked activities associated with the ongoing cryptojacking campaign.

Related entities

  • Data Breach (Attack Type)
  • Malware (Attack Type)
  • Ransomware (Attack Type)
  • Cryptojacking Campaign (Campaign)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • gleeze.com (Domain)
  • T1021 - Remote Services (Mitre Attack)
  • T1036 - Masquerading (Mitre Attack)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1055.012 - Process Hollowing (Mitre Attack)
  • T1055 - Process Injection (Mitre Attack)
  • T1059.001 - PowerShell (Mitre Attack)
  • T1218.011 - Rundll32 (Mitre Attack)
  • T1218 - System Binary Proxy Execution (Mitre Attack)
  • T1497 - Virtualization/Sandbox Evasion (Mitre Attack)
  • T1547 - Boot Or Logon Autostart Execution (Mitre Attack)
  • T1566.002 - Spearphishing Link (Mitre Attack)
  • AI Chatbot (Platform)
  • Windows (Platform)
  • CrystalDiskInfo (Tool)
  • Display Driver Uninstaller (Tool)
  • FurMark (Tool)
  • HWMonitor (Tool)
  • K-Lite Codec Pack (Tool)
  • PDFgear (Tool)
  • PowerShell (Tool)
  • ScreenConnect (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed