Microsoft warns GPU mining malware is being spread to users through SEO poisoning and AI chatbots — cryptojacking campaign targets gamers and high-end PC users with downloads disguised as popular PC utilities | Tom's Hardware
Skip to main content
Stay On the Cutting Edge: Get the Tom's Hardware Newsletter Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
Contact me with news and offers from other Future brands
Receive email from us on behalf of our trusted partners or sponsors
By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.
You are now subscribed Your newsletter sign-up was successful
An account already exists for this email address, please log in.
(Image credit: Getty / Bloomberg)
Copy link
X
Share this article
0
Join the conversation
Follow us
Add us as a preferred source on Google
Newsletter
Subscribe to our newsletter
Microsoft has uncovered an ongoing cryptojacking campaign that used SEO poisoning and, in some observed cases, AI chatbot-generated software recommendations to lure users into downloading GPU mining malware disguised as popular PC utilities. According to a detailed threat report published Tuesday by Microsoft Defender Experts and the Microsoft Defender Security Research Team, the operation specifically targeted users who likely own high-performance graphics cards, including gamers, hardware enthusiasts, AI users, and overclockers.The campaign impersonated widely used utilities such as CrystalDiskInfo, HWMonitor, Display Driver Uninstaller (DDU), FurMark, K-Lite Codec Pack, and PDFgear. Victims searching for the software on traditional search engines — and, in some cases, via AI chatbot recommendations — were reportedly redirected to attacker-controlled download pages hosting malicious ZIP archives.Microsoft says the attackers appear less interested in maximizing infection volume and more focused on compromising systems with powerful discrete GPUs suitable for profitable cryptocurrency mining. Once installed, the malware deployed persistent remote-access software using the legitimate ScreenConnect remote-management tool before silently loading GPU mining payloads such as lolMiner, gminer, and SRBMiner-MULTI.Latest Videos FromThe attack chain relied heavily on stealth techniques typically associated with more advanced malware operations. The downloaded archives bundled legitimate software installers alongside malicious DLLs that were automatically loaded through DLL sideloading. From there, the malware established six separate persistence mechanisms, added Microsoft Defender exclusions, checked for virtual machines and security-analysis tools, and used process hollowing to inject mining code into trusted Microsoft-signed .NET utilities such as MSBuild.exe, InstallUtil.exe, and RegAsm.exe.Perhaps the most unusual aspect of the campaign, however, is Microsoft’s observation that some malicious domains may have surfaced through interactions with AI chatbots. According to the company, users requesting software download recommendations from large language model (LLM)-based assistants were, in some cases, presented with links to attacker-controlled domains embedded in generated responses. Microsoft stressed that the example was illustrative and “does not indicate a systemic issue with any specific AI service,” but noted that the activity appears consistent with emerging AI-assisted search-poisoning techniques.According to Microsoft’s analysis, the operation has been active since at least March 2026 and involved more than 150 malicious domains masquerading as trusted utility-download portals. Many of the downloads were hosted on subdomains of gleeze.com, infrastructure linked to the Dynu dynamic DNS service, which has frequently been used in past phishing and malware campaigns.The initial infection process itself was deceptively simple. Victims downloaded ZIP archives containing both the legitimate utility executable and a malicious DLL named autorun.dll. When the legitimate application launched, Windows automatically loaded the malicious DLL from the same directory via DLL sideloading — a long-standing Windows abuse technique that requires no software exploit and often produces no visible signs of compromise.Stay On the Cutting Edge: Get the Tom's Hardware NewsletterGet Tom's Hardware's best news and in-depth reviews, straight to your inbox.Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsFrom there, the malware silently installed ScreenConnect, a legitimate enterprise remote-management platform also known as ConnectWise Control. Microsoft emphasized that ScreenConnect itself is not malicious, but rather is being abused by threat actors in the same way attackers increasingly misuse legitimate remote monitoring and management (RMM) tools to evade security scrutiny.Once remote access was established, attackers deployed a binary called SimpleRunPE.exe, which Microsoft believes may partially derive from a publicly available GitHub proof-of-concept process hollowing project. The malware copied itself into hidden Windows directories as RuntimeHost.exe, created scheduled tasks and startup entries for persistence, and repeatedly re-added Microsoft Defender exclusions even if users or administrators attempted to remove them.The malware also appeared engineered specifically to avoid detection by performance-conscious PC users. Microsoft says the miner monitored GPU utilization, system idle time, gaming activity, and streaming workloads, shutting down mining operations whenever heavy GPU activity was detected. In practice, this likely reduced obvious warning signs such as sudden frame-rate drops, overheating, or persistently loud GPU fans that might otherwise alert users to a compromise.To further evade detection, the malware performed extensive anti-analysis checks before activating. The software scanned systems for virtual-machine artifacts, debugging tools, reverse-engineering platforms, packet analyzers, and forensic utilities, including Wireshark, ProcMon, x64dbg, dnSpy, IDA, and Ghidra. If any such tools were detected, the malware terminated itself.Microsoft says the malware’s operators ultimately used the compromised systems to deploy one of several GPU-focused cryptocurrency miners, including lolMiner, gminer, and SRBMiner-MULTI. Rather than embedding the miners directly into the malware, the payload dynamically downloaded the most appropriate mining software after conducting extensive reconnaissance on the victim system, including GPU model, CPU specifications, installed antivirus software, memory configuration, and overall system activity.The campaign highlights an alarming development in which attackers are now targeting not only search engines but also AI-assisted discovery systems. While traditional SEO poisoning has existed for years, the growing use of AI chatbots and LLM-powered assistants for software recommendations may be creating a new attack surface where malicious sites gain additional visibility through generated responses. Users need to be extra cautious, as even highly familiar utilities downloaded from seemingly convincing websites may carry hidden malware payloads, particularly when obtained through third-party mirrors or AI-provided links rather than official vendor pages.
Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.
TOPICS
See all comments (0)
Etiido UkoNews ContributorEtiido Uko is a news contributor for Tom's Hardware covering the latest updates in big tech and the PC industry. He is a mechanical engineer and senior technical writer with over nine years of experience in documentation and reporting. He is deeply passionate about all things engineering and technology, and is an expert in gadgets, manufacturing, robotics, automotive, and aerospace.
No comments yet
Comment from the forums