Hackers Poison AI Chatbot Recommendations to Deliver Cryptojacking Malware
Microsoft uncovered a cryptojacking campaign that poisons LLM-based AI chatbot recommendations to steer users toward malicious download sites for popular utilities, deploying miners and remote access tools.
Microsoft has uncovered a sophisticated cryptojacking campaign that exploits AI chatbot recommendations to deliver malware, marking a significant evolution in social engineering tactics. The campaign, detailed by Microsoft Defender Experts and the Microsoft Defender Security Research Team, targets users searching for popular system utilities like CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, and K-Lite Codec Pack. By poisoning the responses of large language model (LLM)-based AI tools, attackers trick users into downloading malicious software from attacker-controlled domains.
The attack chain begins when a user asks an AI chatbot for a download recommendation. Instead of returning legitimate links, the chatbot surfaces URLs pointing to domains controlled by the threat actors. These domains host ZIP archives that appear to be legitimate software packages but contain a rogue DLL file named "autorun.dll." When the victim executes the real program, the DLL activates and deploys a second malicious file, "vcredist_x64.dll," which silently installs ScreenConnect for remote access.
Once ScreenConnect establishes a connection to an attacker-controlled server, it delivers a payload called "SimpleRunPE.exe." This binary creates Registry Run keys and scheduled tasks for persistence, configures Microsoft Defender exclusions to evade detection, and uses process hollowing to inject cryptocurrency mining code into a trusted Microsoft-signed binary. The malware supports three mining programs: gminer, lolMiner, and SRBMiner-MULTI, and specifically targets machines with high-performance GPUs to maximize mining value.
To remain stealthy, the malware monitors for tools like Task Manager, Process Hacker, and Process Explorer, immediately pausing mining activity when any of them are opened. Microsoft identified over 150 malicious domains associated with the campaign, most hosted through a dynamic DNS provider commonly used by threat actors. The researchers noted that while earlier stages relied on traditional search engine manipulation, by April 2026 the attackers had shifted to poisoning AI chatbot responses, a tactic Microsoft describes as "AI search result poisoning."
Microsoft recommends organizations enable cloud-delivered protection and run endpoint detection and response (EDR) in block mode to intercept threats even when antivirus signatures lag behind. Implementing attack surface reduction rules can help defend against the DLL sideloading and process injection techniques used in this campaign. For everyday users, the key takeaway is to verify software downloads through official vendor websites only, regardless of where a link comes from, including AI chatbot recommendations.
This campaign highlights a growing trend where attackers weaponize trusted AI tools to amplify the reach of social engineering attacks. As LLM-based assistants become more integrated into daily workflows, the potential for abuse will only increase. The shift from SEO poisoning to AI recommendation poisoning represents a natural evolution for threat actors seeking new vectors to distribute malware at scale.
Microsoft's latest report reveals the campaign has expanded to impersonate additional tools like FurMark, K-Lite Codec Pack, and PDFgear, and now uses over 150 domains since March 2026. The attack chain leverages DLL sideloading with nine autorun.dll variants and deploys miners via process hollowing under trusted Microsoft-signed binaries. The malware also monitors for forensic tools like Process Explorer and System Informer, terminating mining activity if detected.