Back

Cryptojacking Malware Exploits AI Chatbots and SEO Poisoning

Severity: High (Score: 69.0)

Sources: Bleepingcomputer, socprime.com, www.helpnetsecurity.com, Kucoin, www.microsoft.com

Published: 2026-05-27 · Updated: 2026-05-28

Keywords: chatbot, cryptojacking, campaign, recommendations, users, malware, sites

Severity indicators: ot, malware

Summary

A new cryptojacking campaign is targeting high-performance PC users through malicious downloads disguised as trusted utilities. Attackers leverage SEO poisoning and AI chatbot manipulation to direct users to fake download sites for software like CrystalDiskInfo and HWMonitor. Once downloaded, the malware establishes persistent access using the legitimate remote management tool ScreenConnect, allowing for potential data theft and further exploitation. Microsoft has confirmed the campaign's existence and noted that it focuses on systems with high GPU capabilities to maximize mining output. The malware employs DLL sideloading and process hollowing techniques to evade detection. This campaign highlights the vulnerabilities in AI chatbot recommendations and the ease with which they can be manipulated. Users are advised to avoid relying on AI for software downloads and to verify sources manually. Microsoft Defender has implemented measures to detect and block associated threats. Key Points: • Attackers exploit AI chatbots and SEO poisoning to distribute cryptojacking malware. • Malware targets high-performance PCs by impersonating trusted software utilities. • Persistent access is established via ScreenConnect, enabling further exploitation.

Detailed Analysis

**Impact** The campaign targets users with high-performance Windows PCs, particularly hardware enthusiasts and gamers, to maximize GPU mining efficiency. Victims are primarily located in regions with significant PC gaming and hardware enthusiast populations, though exact geographic distribution is unspecified. Infected systems experience degraded performance, increased power consumption, and risk of further compromise through persistent remote access. Beyond cryptojacking, attackers may conduct data theft, lateral movement, or ransomware deployment via established ScreenConnect sessions. **Technical Details** Attackers use SEO poisoning and AI chatbot manipulation to redirect users searching for utilities like CrystalDiskInfo, HWMonitor, and FurMark to malicious domains (e.g., subdomains of gleeze[.]com). Infection begins with downloading ZIP archives containing legitimate executables and malicious DLLs that sideload via DLL hijacking. The malware deploys ScreenConnect for persistent remote access and uses a custom RunPE dropper (SimpleRunPE.exe) to hollow Microsoft-signed .NET binaries (e.g., InstallUtil.exe, RegAsm.exe) to inject mining code. Mining tools include gminer, lolMiner, and SRBMiner-MULTI, activated only during idle periods on compatible GPUs. Persistence is maintained through scheduled tasks, registry run keys, startup shortcuts, and Defender exclusion lists. Anti-analysis checks terminate execution in virtualized or debug environments. Command-and-control communication occurs over WebSocket with pinned TLS certificates. **Recommended Response** Enable cloud-delivered protection and run endpoint detection and response (EDR) in block mode. Enforce attack surface reduction rules and block executables that fail reputation or prevalence checks. Disable or tightly control remote management tools like ScreenConnect, monitoring for unauthorized scheduled tasks and registry entries. Remove any unauthorized Windows Defender exclusions and block identified malicious domains (e.g., minemine.gleeze.com) and IP addresses. Isolate and remediate hosts running RuntimeHost.exe or SimpleRunPE.exe from hidden directories, terminating related ScreenConnect sessions and removing persistence mechanisms. Monitor for mining binaries and suspicious PowerShell activity.

Source articles (11)

  • Hackers Abuse AI Chatbot Recommendations to Push Malicious Software Download Links — Cybersecuritynews · 2026-05-27
    Hackers are finding new ways to trick people into downloading malware, and this time, they are hiding behind tools many of us have come to trust. A newly uncovered cryptojacking campaign is abusing AI…
  • AI chatbots help hackers target PC users with malicious downloads — Overclock3D · 2026-05-27
    Microsoft has confirmed that AI Chatbots are now serving malicious/fake downloads for trusted PC utilities like CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, and…
  • Microsoft Warns of New Mining Malware Targeting High-Performance PC Users — Kucoin · 2026-05-27
    Microsoft has revealed that a new wave of cryptocurrency mining attacks is targeting high-performance computer users, particularly hardware enthusiasts and PC gamers. Unlike attacks that sought large-…
  • AI chatbot recommendations lure users to cryptojacking malware sites — Feeds2.Feedburner · 2026-05-27
    Cybercriminals are using AI chatbot interactions alongside poisoned results to direct users to malicious download sites in an active cryptojacking campaign, Microsoft has warned. The campaign imperson…
  • GPU mining malware spreads via SEO poisoning, AI chatbots — Bleepingcomputer · 2026-05-27
    Threat actors are targeting systems with high-performance computers in an ongoing cryptojacking campaign spread through a coordinated SEO poisoning operation that also manipulated AI chatbot recommend…
  • GPU Mining Malware Targeting Windows Systems via SEO Poisoning and AI Chatbot ... — Rescana · 2026-05-28
    A new wave of cryptojacking attacks is leveraging both SEO poisoning and AI chatbot manipulation to distribute GPU mining malware at scale. This campaign, first observed in early 2026, targets users s…
  • SEO Poisoning Leads to ScreenConnect Cryptojacking — socprime.com · 2026-05-28
    This campaign uses SEO poisoning and manipulated AI chatbot results to lure users into downloading fake hardware-monitoring tools. The trojanized installers carry a malicious DLL that sideloads into a…
  • Microsoft warns AI chatbots are luring users to cryptojacking malware disguised as trusted ... — Tweaktown · 2026-05-28
    Microsoft has warned users an active cryptojacking campaign that uses AI chatbots to serve malicious downloads disguised as trusted PC utilities. Microsoft Defender Experts and the Security Research T…
  • Simple Run PE Process Hollowing — github.com · 2026-05-27
  • AI chatbot recommendations lure users to cryptojacking malware sites — www.helpnetsecurity.com · 2026-05-28
  • Poisoned Search Results Gpu Mining Cryptojacking Campaign Abusing Screenconnect Microsoft Net Utilities — www.microsoft.com · 2026-05-28

Timeline

  • 2026-04-01 — Reports of AI chatbot manipulation emerge: Users began reporting that AI chatbots were directing them to malicious download sites for popular utilities.
  • 2026-05-27 — Microsoft confirms active cryptojacking campaign: Microsoft Defender Experts identified a campaign using AI chatbots to recommend malicious downloads, targeting high-performance PC users.
  • 2026-05-28 — Microsoft issues warnings about AI chatbot threats: Microsoft warns users about the risks of trusting AI chatbots for software downloads, highlighting the ongoing cryptojacking campaign.

Related entities

  • Data Breach (Attack Type)
  • Malware (Attack Type)
  • Ransomware (Attack Type)
  • Cryptojacking Campaign (Campaign)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • direct-download.gleeze.com (Domain)
  • direct-downloads.giize.com (Domain)
  • free-download.giize.com (Domain)
  • gleeze.com (Domain)
  • minemine.gleeze.com (Domain)
  • rescana.com (Domain)
  • start-download.gleeze.com (Domain)
  • ws.to (Domain)
  • [email protected] (Email)
  • T1021 - Remote Services (Mitre Attack)
  • T1036 - Masquerading (Mitre Attack)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1053 - Scheduled Task/Job (Mitre Attack)
  • T1055.012 - Process Hollowing (Mitre Attack)
  • T1055 - Process Injection (Mitre Attack)
  • T1059.001 - PowerShell (Mitre Attack)
  • T1071 - Application Layer Protocol (Mitre Attack)
  • T1218.011 - Rundll32 (Mitre Attack)
  • T1218 - System Binary Proxy Execution (Mitre Attack)
  • T1497 - Virtualization/Sandbox Evasion (Mitre Attack)
  • T1547 - Boot Or Logon Autostart Execution (Mitre Attack)
  • T1566.002 - Spearphishing Link (Mitre Attack)
  • T1574 - Hijack Execution Flow (Mitre Attack)
  • AI Chatbot (Platform)
  • Windows (Platform)
  • CrystalDiskInfo (Tool)
  • Display Driver Uninstaller (Tool)
  • FurMark (Tool)
  • HWMonitor (Tool)
  • K-Lite Codec Pack (Tool)
  • PDFgear (Tool)
  • PowerShell (Tool)
  • ScreenConnect (Tool)
  • SimpleRunPE (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed