Executive Summary
A new wave of cryptojacking attacks is leveraging both SEO poisoning and AI chatbot manipulation to distribute GPU mining malware at scale. This campaign, first observed in early 2026, targets users searching for popular system utilities and those seeking software recommendations from AI chatbots. The attackers employ advanced social engineering, abuse legitimate remote management tools such as ScreenConnect (also known as ConnectWise Control), and utilize sophisticated evasion and persistence mechanisms. The malware is designed to hijack GPU resources for illicit cryptocurrency mining, resulting in significant performance degradation, increased power consumption, and potential exposure to further compromise. This report provides a comprehensive technical analysis of the campaign, its tactics, techniques, and procedures (TTPs), observed exploitation in the wild, victimology, and actionable mitigation strategies.
Threat Actor Profile
The campaign is attributed to financially motivated eCrime actors rather than a specific advanced persistent threat (APT) group. The threat actors demonstrate a high degree of operational maturity, leveraging infrastructure reuse, rapid domain generation, and the abuse of legitimate tools to maximize monetization while minimizing detection. Their primary objective is resource hijacking for cryptocurrency mining, but the persistent access established via ScreenConnect could facilitate future attacks, including data theft or ransomware deployment. The actors show a strong understanding of both search engine optimization (SEO) manipulation and the influence of AI-driven recommendation systems, indicating a multidisciplinary approach to initial access.
Technical Analysis of Malware/TTPs
The attack chain begins with SEO poisoning, where adversaries create malicious websites mimicking legitimate download portals for utilities such as CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, and PDFgear. These sites are engineered to rank highly in search results for queries like "download HWMonitor" or "latest CrystalDiskInfo." Simultaneously, the attackers exploit AI chatbots by influencing their training data or manipulating prompt responses, causing chatbots to recommend attacker-controlled domains as trusted download sources.
Upon visiting these sites, victims are prompted to download a ZIP archive containing both a legitimate utility executable and a malicious autorun.dll. The malware leverages DLL sideloading: when the user launches the utility, the malicious DLL is loaded into memory, initiating the infection chain. This DLL then silently installs a secondary payload, typically vcredist_x64.dll, which deploys ScreenConnect for persistent remote access.
The next stage involves the delivery of a custom dropper, often based on the public SimpleRunPE process hollowing technique (see Watermwo/Simple-RunPE-Process-Hollowing). This dropper injects mining code into legitimate, Microsoft-signed .NET binaries such as InstallUtil.exe, RegAsm.exe, MSBuild.exe, and others. By hollowing these processes, the malware evades endpoint detection and response (EDR) solutions and blends into normal system activity.
The mining component is highly adaptive. It performs host reconnaissance, collecting CPU and GPU specifications, RAM, OS version, antivirus status, user activity, and network information. Mining binaries such as gminer, lolMiner, and SRBMiner-MULTI are downloaded on demand and executed only when the system is idle and a compatible GPU is detected. The malware adds itself and its components to Windows Defender exclusion lists and establishes persistence via scheduled tasks (e.g., "Windows System Health Monitor"), registry run keys, and startup folder shortcuts. It also features auto-repair routines to restore persistence and exclusion settings if tampered with.
Anti-analysis features include checks for virtual machines, debuggers, and common analysis tools. If such environments are detected, the malware terminates to avoid detection. Command and control (C2) communication is conducted over encrypted WebSocket channels (e.g., wss://minemine.gleeze[.]com:8443/ws), and infrastructure is rotated frequently to evade blacklisting.
Exploitation in the Wild
Between April and June 2026, multiple security vendors and community researchers observed a surge in infections traced to both poisoned search results and AI chatbot recommendations. Victims reported downloading what appeared to be legitimate utilities, only to experience unexplained GPU usage spikes, system slowdowns, and increased electricity bills. Analysis of telemetry data from VirusTotal, Microsoft Defender, and community honeypots confirmed that the majority of infections originated from domains such as direct-download[.]gleeze[.]com, start-download[.]gleeze[.]com, direct-downloads[.]giize.com, free-download[.]giize.com, and directdownload[.]icu.
The attackers abused ScreenConnect to maintain persistent access, allowing them to update payloads, deploy additional malware, or pivot to other systems within the victim's network. The mining payloads were observed connecting to various mining pools, with configuration files dynamically generated based on host capabilities. Public proof-of-concept code for process hollowing was adapted to inject miners into trusted Windows processes, further complicating detection and remediation.
Victimology and Targeting
The primary targets are individual users and organizations operating high-performance Windows systems equipped with discrete GPUs. This includes PC gaming enthusiasts, IT professionals, and small to medium-sized enterprises (SMEs) with less mature security postures. The campaign is global in scope, with infections reported across North America, Europe, and Asia. The use of AI chatbots as a distribution vector significantly broadens the attack surface, as users increasingly rely on these tools for software recommendations. There is no evidence of targeting based on industry vertical or geography; rather, the focus is on maximizing the number of infected systems with valuable GPU resources.
Mitigation and Countermeasures
Organizations and individuals should implement a multi-layered defense strategy to mitigate the risk posed by this campaign. Network and endpoint security teams must block the identified indicators of compromise (IOCs), including domains, IP addresses, and file hashes associated with the malware. Continuous monitoring for suspicious scheduled tasks, registry modifications, and unauthorized changes to Windows Defender exclusions is essential. Any use of ScreenConnect or similar remote management tools should be closely audited and restricted to authorized personnel only.
User awareness training should emphasize the risks of downloading software from search engine results or following links provided by AI chatbots. IT departments should maintain a whitelist of approved software sources and enforce application allowlisting where feasible. Regularly update endpoint protection solutions and leverage advanced EDR capabilities to detect process hollowing, DLL sideloading, and anomalous GPU usage.
Incident response teams should hunt for the presence of suspicious DLLs (e.g., autorun.dll, vcredist_x64.dll), unexpected scheduled tasks (such as "Windows System Health Monitor"), and unauthorized ScreenConnect installations. Forensic analysis of affected systems should include a review of startup folders, registry run keys, and Defender exclusion lists. If infection is suspected, isolate the system from the network, remove persistence mechanisms, and perform a full malware scan with updated signatures.
References
Microsoft Security Blog: From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities
SOC Prime: SEO Poisoning Leads to ScreenConnect Cryptojacking
HelpNetSecurity: AI chatbot recommendations lure users to cryptojacking malware sites
GitHub: Watermwo/Simple-RunPE-Process-Hollowing
Reddit: r/SecOpsDaily - GPU mining malware spreads via SEO poisoning, AI chatbots
About Rescana
Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their digital supply chain. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify emerging threats and respond with confidence. For questions or further information, we are happy to assist at ops@rescana.com.
