Hackers Use Fake Utility Sites and AI Chatbots to Distribute ScreenConnect and Cryptojacking Malware
A sophisticated cryptojacking campaign is leveraging fake software download sites and AI chatbot recommendations to trick users into installing ScreenConnect for remote access and GPU miners.
Cybercriminals have launched a widespread cryptojacking campaign that preys on users searching for legitimate PC utilities online. The attackers have established over 150 counterfeit download websites designed to mimic trusted software portals, impersonating popular applications such as CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, and PDFgear. When unsuspecting users download what they believe to be legitimate software, they instead receive a ZIP archive containing the genuine utility alongside a malicious DLL file.
This campaign, detailed by Microsoft in late May 2026, specifically targets individuals likely to possess high-performance graphics cards, including gamers, hardware enthusiasts, and AI developers. The strategy is to maximize mining profits from each compromised machine. A particularly concerning development is the campaign's expansion into AI chatbot recommendations. In April 2026, researchers observed instances where AI chatbots provided users with links to attacker-controlled domains when asked for software download suggestions, blurring the lines of trust in AI-driven assistance.
Beyond the primary goal of cryptocurrency mining, the attackers also install ScreenConnect, a legitimate remote access tool, on compromised systems. This provides them with persistent remote access, opening the door for more severe malicious activities such as data theft, lateral movement within networks, and the deployment of ransomware. The campaign remains active, with its reach continually expanding.
The infection process begins when a user downloads and executes a seemingly legitimate utility installer. The provided ZIP file contains the authentic application along with a malicious file named autorun.dll. This DLL is designed to be loaded automatically when the legitimate program launches, exploiting a technique known as DLL sideloading. This method is particularly insidious as it requires no software exploit and often operates without any visible indication to the user.
Once autorun.dll is active, it drops a second malicious file, vcredist_x64.dll, which functions as a packaged ScreenConnect installer. After ScreenConnect is successfully installed, the compromised machine establishes a connection to an attacker-controlled command-and-control server located at 193.42.11[.]108. From this remote access channel, the attackers deploy a dropper executable named SimpleRunPE.exe onto the victim's system.
SimpleRunPE.exe is responsible for establishing persistence by creating Registry Run keys and scheduled tasks. It also modifies security tool exclusions to evade detection and employs process hollowing to inject cryptocurrency mining code into a legitimate, Microsoft-signed binary. The campaign can deploy one of three GPU miners: gminer, lolMiner, or SRBMiner-MULTI. To further evade detection, the malware monitors for the presence of analysis tools like Windows Task Manager or Process Hacker, pausing mining operations if any are detected and resuming once they are closed.
The persistent access granted by ScreenConnect poses a significant long-term threat. Even if the mining software is identified and removed, the ScreenConnect backdoor may remain active, allowing attackers to regain access. Security teams are advised to monitor for unauthorized ScreenConnect sessions and installations. Additionally, unusual spikes in GPU usage on endpoints can serve as an early indicator of cryptojacking activity. Defenders should also set alerts for files like SimpleRunPE.exe and DLLs named autorun.dll or vcredist_x64.dll in unexpected locations, and block known malicious domains associated with the campaign.