Full Report
Threat actors are targeting systems with high-performance computers in an ongoing cryptojacking campaign spread through a coordinated SEO poisoning operation that also manipulated AI chatbot recommendations. [...]
Analysis Summary
# Tool/Technique: GPU Cryptojacking via SEO & AI Poisoning
## Overview
This is a coordinated cryptojacking campaign that targets high-performance workstations (specifically those with powerful GPUs) by distributing malware through poisoned search engine results and manipulated AI chatbot recommendations. The campaign leverages legitimate remote management software for persistence and employs process hollowing to hide cryptocurrency miners.
## Technical Details
- **Type**: Malware family / Cryptojacker
- **Platform**: Windows
- **Capabilities**: SEO/AI poisoning, DLL side-loading, remote access (ScreenConnect), evasion (Defender exclusions, anti-analysis checks), process hollowing, and GPU-based cryptocurrency mining.
- **First Seen**: Reported May 2026 (campaign activity noted in April 2026).
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1589 - Gather Victim Identity Information]
- [T1566.002 - Phishing: Spearphishing Link (via SEO/AI Poisoning)]
- **[TA0003 - Persistence]**
- [T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder]
- [T1219 - Remote Access Software]
- **[TA0005 - Defense Evasion]**
- [T1574.002 - Hijack Execution Flow: DLL Side-Loading]
- [T1056.004 - Process Hollowing]
- [T1562.001 - Impair Defenses: Disable or Modify Tools]
- [T1497.001 - Virtualization/Sandbox Evasion: System Checks]
- **[TA0040 - Impact]**
- [T1496 - Resource Hijacking]
## Functionality
### Core Capabilities
- **Infection Vector**: Users downloading utilities (CrystalDiskInfo, HWMonitor, etc.) from sites boosted by SEO poisoning or recommended by AI chatbots.
- **DLL Side-Loading**: Using a legitimate executable to load a malicious DLL that initiates the infection via `msiexec.exe`.
- **Remote Access**: Installs a legitimate instance of **ScreenConnect** to provide the attacker with persistent remote management of the host.
- **Stealth Extraction**: Uses PowerShell to add file paths and processes to Microsoft Defender’s exclusion list.
### Advanced Features
- **Process Hollowing**: Utilizes a modified version of **SimpleRunPE** to inject malicious code into signed Microsoft binaries (e.g., `InstallUtil.exe`, `MSBuild.exe`).
- **Anti-Analysis**: Scans for 40 different process names associated with security analysis tools and checks for virtual machine environments.
- **GPU Optimization**: Specifically targets systems with high-end GPUs to deploy specialized miners like `gminer`, `lolMiner`, or `SRBMiner-MULTI`.
## Indicators of Compromise
- **File Names**:
- `vcredist_x64.dll` (ScreenConnect installer)
- `SimpleRunPE.exe`
- `RuntimeHost.exe`
- `vlc.exe` (Malicious impersonation)
- **Network Indicators (Defanged)**:
- `gleeze[.]com` (Malicious hosting subdomain)
- **Behavioral Indicators**:
- Unexpected execution of `msiexec.exe` following a utility download.
- PowerShell commands adding Defender exclusions (`Add-MpPreference -ExclusionPath ...`).
- High GPU utilization by legitimate-looking Windows processes (e.g., `RegAsm.exe`).
## Associated Threat Actors
- Unknown (Current research attributes this to a sophisticated campaign focusing on high-value GPU yields rather than infection volume).
## Detection Methods
- **Signature-based detection**: Scanning for the `SimpleRunPE` PDB strings and known hashes of the `gleeze[.]com` ZIP archives.
- **Behavioral detection**:
- Monitoring for `msiexec.exe` spawning from common utility installers.
- Identifying unauthorized ScreenConnect installations in environments where it is not a standard tool.
- Detecting process hollowing attempts where signed Microsoft utilities (like `RegSvcs.exe`) initiate network connections to known mining pools.
## Mitigation Strategies
- **Endpoint Protection**: Ensure tamper protection is enabled to prevent PowerShell-based exclusion modifications.
- **Software Sourcing**: Enforce policies requiring software to be downloaded only from official vendor websites or verified enterprise repositories.
- **Application Whitelisting**: Use tools like AppLocker or Windows Defender Application Control (WDAC) to prevent the execution of unauthorized remote management tools.
- **Monitoring**: Audit the "Run" and "RunOnce" registry keys and the Startup folder for suspicious entries.
## Related Tools/Techniques
- **Process Hollowing**: Commonly used in malware like Ryuk or Dridex.
- **SEO Poisoning**: Frequently used in Gootloader and SocGholish campaigns.
- **ScreenConnect Abuse**: Legitimate tool abuse common in ransomware and RAT-based operations.