Microsoft Warns of Cryptojacking Campaign Using SEO Poisoning, AI Chatbots, and Abused ScreenConnect
Microsoft Defender Experts uncovered a targeted cryptojacking campaign that uses SEO poisoning and AI chatbot interactions to deliver malware disguised as system utilities, then abuses ScreenConnect for persistent remote access.
Microsoft Defender Experts have identified an active cryptojacking campaign that combines search engine poisoning, AI chatbot manipulation, and abuse of legitimate remote management tools to compromise systems with high-performance GPUs. The campaign, detailed in a May 26, 2026 blog post, targets users searching for popular system utilities such as CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, and PDFgear. Rather than maximizing infection volume, the threat actor focuses on compromising devices with higher cryptocurrency mining value, establishing persistent remote access through abused ScreenConnect (ConnectWise Control) deployments that could later enable data theft, lateral movement, or ransomware activity.
The attack chain begins when users search for these utilities on search engines or interact with AI chatbots. The operators run a coordinated SEO poisoning operation that surfaces attacker-controlled lookalike sites in search results. In April 2026, Microsoft observed reports indicating that users were also directed to malicious domains through interactions with large language model (LLM)-based tools. Analysis of VirusTotal scans associated with these domains identified traffic metadata referencing chatbot interactions as a potential referral context, representing an extension of traditional SEO poisoning beyond conventional search engines.
Each fake site presents a download button that claims to offer the legitimate utility. The download instead retrieves a ZIP archive hosted on a campaign-specific subdomain of gleeze.com, which is hosted on infrastructure associated with Dynu (dynu.com), a dynamic DNS provider frequently leveraged by threat actors. Since March 2026, Microsoft has identified more than 150 malicious domains serving these fake tools. The ZIP archive contains the legitimate executable for the spoofed utility alongside a malicious DLL named autorun.dll. When the user launches the executable, the legitimate program loads autorun.dll via DLL sideloading, a technique that requires no exploitation and generates no user-visible anomaly.
The malicious DLL uses msiexec.exe to silently install a second malicious DLL named vcredist_x64.dll, which is itself a packaged installer for ScreenConnect software. ScreenConnect (also known as ConnectWise Control) is a legitimate commercial remote management tool widely used by IT administrators. The tool itself is not at fault; rather, the threat actor abuses its legitimate capabilities to establish persistent remote access, consistent with a broader pattern of remote monitoring and management (RMM) tool abuse observed across the threat landscape. Once installed, the ScreenConnect client constantly attempts to communicate with the attacker-controlled server at 193.42.11[.]108.
Beyond cryptocurrency mining, the campaign establishes persistent remote access that could later support data theft, lateral movement, or ransomware activity. Microsoft Defender detected and blocked activity associated with this campaign. The company advises organizations to enable cloud-delivered protection, run EDR in block mode, and enable attack surface reduction rules to reduce risk. The campaign highlights how threat actors are adapting social engineering and monetization strategies to modern user behavior, combining AI-assisted delivery, software impersonation, and persistent access.
This campaign represents a notable evolution in cryptojacking operations, which have traditionally favored volume over precision. By targeting users likely to own high-performance GPUs—such as PC enthusiasts and hardware-focused users—the operators maximize mining yield per compromised device. The use of AI chatbots as a delivery vector is particularly concerning, as it extends social engineering beyond conventional search results and increases the visibility of malicious software recommendations. Organizations should remain vigilant and implement the recommended mitigations to defend against this and similar threats.