AI Chatbots Recommend Malicious Sites in New Cryptojacking Campaign Targeting High-End GPUs

AI Chatbot Recommendations Redirect Users to Cryptojacking Malware Sites

Microsoft has warned of an active cryptojacking campaign that makes use of artificial intelligence (AI) chatbot interactions as a mechanism for surfacing malicious download sites. "This emerging delivery technique extends social engineering beyond conventional search results and increases the visibility of malicious software recommendations," Microsoft Defender Experts and the Microsoft Defender Security Research Team said in a report published Tuesday. The activity, per the tech giant, impersonates legitimate system utilities like CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, and PDFgear, likely in an attempt to target users who own high-performance GPUs. The idea is to focus on compromising systems with higher mining value than indiscriminately infecting a large number of machines, it added. The goals of the campaign are not merely financially motivated. The threat actors have also been found to establish persistent remote access to compromised hosts through ScreenConnect deployments, which could then be leveraged for follow-on activity, such as data theft, lateral movement, or ransomware. The attack chain is more deliberate than other typical cryptocurrency mining efforts, strategically opting for endpoints that help maximize GPU mining yield per compromised device. The Windows maker said it detected and blocked activity associated with the campaign. It all begins when users search for trusted system utilities and hardware-monitoring software on search engines, which surface malicious sites that have been gamed via techniques like search engine optimization (SEO) poisoning. Subsequent iterations observed in April 2026 indicate that users are being directed to these sites not through search engine results, but rather via interactions with large language model (LLM)-based tools. "In these cases, users querying AI chatbots for software download recommendations were presented with links to attacker-controlled domains within generated responses," Microsoft said. "While this behavior is based on observed patterns and correlated data sources, it's consistent with emerging techniques in AI search result poisoning, representing an extension of traditional SEO poisoning beyond conventional search engines." Each of these sites contains a prominent download button that retrieves a ZIP archive from a campaign-specific subdomain of gleeze[.]com, which is hosted by infrastructure associated with Dynu, a dynamic DNS provider frequently used by threat actors. More than 150 malicious domains have been identified serving the malicious tools. The downloaded ZIP file contains a legitimate executable along with a rogue DLL ("autorun.dll") that's sideloaded when the binary is launched by the user. The DLL is designed to install a second malicious DLL named "vcredist_x64.dll" using "msiexec.exe." The file is a packaged installer for ScreenConnect software. Once ScreenConnect is installed, the client continuously attempts to establish contact with an attacker-controlled server located at "193.42.11[.]108." The ScreenConnect session then serves as a conduit for an executable called "SimpleRunPE.exe." The binary is responsible for establishing persistence on the host using Registry Run keys and scheduled tasks, configuring Microsoft Defender exclusions, running anti-analysis checks, and employing process hollowing to launch the mining code under a trusted Microsoft-signed binary. In select compromises, instead of relying on ScreenConnect's file transfer functionality to drop the binary, a PowerShell script is used to fetch the binary from a remote drive, store it locally as "vlc.exe" to fly under the radar, create a scheduled task to launch it, and then delete itself. The hollowed binary, for its part, communicates with the attacker's server, transmits extensive host information, downloads the appropriate miner archive at runtime, and executes it. Three miner programs are supported by the malware: gminer, lolMiner, and SRBMiner-MULTI. In addition, the binary recreates the persistence artifacts to ensure continued presence and re-configures Defender exclusions in the event they are removed. It also keeps an eye out for running processes, and proceeds to immediately terminate the miner if any of the following processes are detected - "This combination of AI-assisted delivery, software impersonation, and persistent access highlights how threat actors are adapting social engineering and monetization strategies to modern user behavior," Microsoft said. The disclosure comes days after Microsoft detailed how an unknown threat actor compromised an internet-facing F5 BIG-IP firewall appliance and abused trusted relationships to pivot to an internal Linux host, highlighting the continued exploitation of internet-facing edge appliances as initial access points. The Linux host, the company said, enabled the attacker to perform comprehensive reconnaissance and laterally move to a vulnerable Atlassian Confluence server, although attempts to execute remote code through unpatched security flaws in the software were unsuccessful. As a way of getting around these restrictions, the threat actor is said to have set up an FTP server on the initial Linux host using Python's ftplib module to transfer a custom scanning tool to the Confluence server and then obtained credentials for subsequent authentication against Windows infrastructure. This was followed by Kerberos relay attacks and the exploitation of CVE-2025-33073. "From there, the threat actor compromised a vulnerable SaaS application and leveraged its credentials to conduct relay-style authentication attacks against Active Directory," it said. "In this incident, the threat actor authenticated to a Linux server over SSH using a privileged account. The threat actor maintained this level of access throughout the observed activity without establishing explicit persistence mechanisms, underscoring the risk posed by over-privileged identities with sudo rights." Earlier this month, Microsoft also shed light on another intrusion in which attackers abused trusted operational relationships and authentication processes to establish durable access, leveraging a compromised third-party IT services provider and legitimate IT management tools to orchestrate a covert campaign focused on long-term access and credential theft. "Third-party service providers and integrated management tools can become enforcement gaps when visibility is limited or validation is assumed. Threat actors understand this," Redmond said. "They leverage legitimate components, trusted update paths, and approved integrations to anchor themselves inside environments that appear compliant on the surface." "Defenders should adopt a posture of deliberate verification. Trust your vendors and tooling, but validate their behavior within your environment. Organizations operating in sensitive sectors should assume that threat actors with this level of tradecraft will continue refining third party abuse, credential interception, and stealthy persistence mechanisms to maintain strategic access."

GPU mining malware spreads via SEO poisoning, AI chatbots

Threat actors are targeting systems with high-performance computers in an ongoing cryptojacking campaign spread through a coordinated SEO poisoning operation that also manipulated AI chatbot recommendations. The compromise occurs through malicious download pages for utility software typically installed by owners of powerful systems, like CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, and PDFgear. Once a system is infected, the attacker gets persistent access on the machine by deploying the legitimate remote management ScreenConnect tool, which could later be used to install additional malware. Microsoft researchers discovered the campaign and determined that the attack begins when users look for one of the aforementioned utilities and are presented with malicious links boosted in search rankings through SEO poisoning. However, some reports in April indicated that users were directed to the malicious domains after interacting with AI-based assistants. "In these cases, users querying AI chatbots for software download recommendations were presented with links to attacker‑controlled domains within generated responses," Microsoft says. The malicious download is a ZIP archive hosted on a subdomain at gleeze[.]com, a domain that has been flagged in the past for being associated with phishing websites. According to Microsoft, the archive includes the legitimate executable for the legitimate utility as well as a malicious DLL that is automatically loaded when launching the benign binary. The researchers found that the DLL uses msiexec.exe to install vcredist_x64.dll, which is a package installer for the ScreenConnect remote access tool. After establishing a ScreenConnect session with the compromised client, the threat actor drops another binary named SimpleRunPE.exe that copies itself as RuntimeHost.exe into a folder hidden in Explorer. The purpose of the executable is to establish "six persistence mechanisms across multiple Windows autostart locations." In some cases, the binary is dropped via a malicious PowerShell script and is saved locally as vlc.exe, in an attempt to impersonate the executable for the popular VideoLAN multimedia player. Based on SimpleRunPE.exe's Program Database (PDB) path, the researchers believe that it is a fork of a public repository for demonstrating the process hollowing technique. The threat actor resorted to this technique for stealth and tried process hollowing into a legitimate .NET binary signed by Microsoft: InstallUtil.exe, RegAsm.exe, RegSvcs.exe, MSBuild.exe, AppLaunch.exe, AddInProcess.exe, aspnet_compiler.exe. To the same purpose, the malicious binary also invokes PowerShell to add its path and process to the exclusion list in Microsoft Defender. Additionally, the malware checks the environment for virtual machines and a set of 40 process names corresponding to analysis tools. If any are identified, the malware terminates its execution. After completing the process hollowing stage and the malware runs inside a Microsoft-signed Windows utility, one of three mining modules is downloaded and executed. The supported mining programs are gminer, lolMiner, and SRBMiner-MULTI, all of them designed to use graphics processing units (GPUs). Microsoft says that this cryptocurrency campaign stands out for its "targeting and monetization strategy engineered from the ground up to maximize GPU mining yield per compromised device," instead of focusing on volume. Apart from the defenses provided by Microsoft's tools, organizations can protect their environments using the indicators of compromise included in the report.

'Threat actors are adapting social engineering and monetization strategies to modern user behavior': Microsoft warns AI chatbots may be sending victims to malicious websites -- so be on your guard when clicking

* Microsoft researchers observed cybercriminals adapting SEO poisoning tactics to AI platforms, tricking AI into recommending spoofed utility sites like HWMonitor and CrystalDiskInfo * Victims who follow these AI‑suggested links download malware via DLL sideloading, which installs ScreenConnect for attacker access and can lead to cryptojacking * Defenders should treat AI recommendations with the same caution as search results, verifying links before downloading to avoid compromise With the advent of AI, internet search habits among most users have drastically changed, with the way cybercriminals deliver malware to their victims also changing as a result. In the years before AI, crooks would use the "SEO poisoning" technique to trick search engines into showing malicious and fraudulent websites at the very top of search engine results pages. By leveraging the trust users had in these engines, crooks could expect the malware to be downloaded without much scrutiny. But now, AI tools are eating away at search engines' market share, with a new report from Microsoft finding threat actors found a way to trick AI into recommending fake and malicious links. Dropping a cryptojacker It's an interesting find, since most SEO experts still haven't cracked that code and since there is no "industry standard" on getting mentioned by the AI. In any case, Microsoft said it observed cybercriminals creating fraudulent websites spoofing popular PC utilities such as HWMonitor, or CrystalDiskInfo. They (somehow) get the AI to mention these websites to people asking about these tools and if people believe the AI, they end up downloading malware. The malware is loaded onto the device using the DLL sideloading technique which, in turn, installs ScreenConnect and grants the attackers direct access to the device. The miscreants would then profile the device, scan the network and, if they so decide, install a cryptojacker. The cryptojacker then mines cryptocurrency for the attackers, earning them virtual coins as the victims are left with an unusable computer and an enormous electricity bill. "This combination of AI-assisted delivery, software impersonation, and persistent access highlights how threat actors are adapting social engineering and monetization strategies to modern user behavior," Microsoft said. To defend against these attacks, users should do the same things they do against SEO poisoning attacks - not trust the AI/search engine responses blindly. Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.