Hackers are turning everyday software searches into a trap. A sophisticated cryptojacking campaign is actively targeting users who search for popular PC utilities online, luring them into downloading malware-laced files that secretly mine cryptocurrency using their own GPU.
The attackers have built a network of more than 150 fake download sites that closely mimic trusted utility portals. These sites impersonate well-known programs like CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, and PDFgear.
Anyone visiting one of these sites and clicking the download button ends up with a ZIP archive containing both the real software and a hidden malicious file. Analysts at Microsoft identified this campaign and published their findings in late May 2026.
Microsoft Defender Experts and the Microsoft Defender Security Research Team said in a report shared with Cyber Security News (CSN) that the campaign deliberately targets users who likely own high-performance graphics cards, including gamers, hardware enthusiasts, and AI developers.
The logic is calculated: infect fewer machines but squeeze maximum mining value out of each one. What makes this campaign especially alarming is that it has started reaching victims through AI chatbot responses.
In April 2026, researchers observed users receiving links to attacker-controlled domains directly from AI chatbot recommendations when asking for software download suggestions.
This marks a troubling shift beyond traditional search engine manipulation into a space many users consider more trustworthy.
Beyond the financial motive of cryptocurrency mining, the attackers also install ScreenConnect on compromised machines to maintain persistent remote access.
This opens the door to far more damaging follow-on activity, including data theft, lateral movement through corporate networks, and even ransomware deployment. The campaign is still active and its reach continues to grow.
Hackers Abuse Fake Utility Downloads
The infection starts the moment a user downloads and runs what looks like a legitimate utility installer.
The ZIP file contains the real application alongside a rogue file called autorun.dll, which loads automatically when the legitimate program launches through a technique known as DLL sideloading.
.webp)
This method requires no software exploit and often leaves no visible trace on the screen.
Once autorun.dll runs, it drops a second malicious file named vcredist_x64.dll using Windows Installer, which serves as a packaged ScreenConnect installer.
After ScreenConnect is in place, the infected machine connects to an attacker-controlled server at 193.42.11[.]108. Through this remote access channel, the attackers push an executable called SimpleRunPE.exe to the victim’s system.
.webp)
SimpleRunPE.exe does the heavy lifting from there. It sets up persistence using Registry Run keys and scheduled tasks, adjusts security tool exclusions to stay hidden, and uses process hollowing to inject mining code into a trusted Microsoft-signed binary.
Three GPU miners can be deployed depending on the setup: gminer, lolMiner, and SRBMiner-MULTI.
The malware also watches for analysis tools like Windows Task Manager, Process Hacker, and Process Explorer. The moment it detects any of them running, it immediately pauses mining to avoid suspicion. Once those tools close, mining quietly resumes in the background.
Persistent Access and What Defenders Should Do
The campaign’s use of ScreenConnect turns each compromised machine into a long-term foothold. Even if the mining software is detected and removed, the ScreenConnect backdoor may remain active, giving attackers a way back in.
Security teams should actively look for unauthorized ScreenConnect sessions and installations not approved by IT.
Microsoft recommends monitoring for unusual GPU usage spikes on desktops and servers as an early sign of unauthorized mining. Correlating web referrer data and endpoint telemetry can help teams connect the dots faster when investigating alerts.
Users should only download software directly from official vendor websites and treat any link suggested by an AI tool with the same skepticism they would apply to any search result.
Defenders should also set alerts for files like SimpleRunPE.exe and watch for DLLs named autorun.dll or vcredist_x64.dll appearing in unexpected directories.
Blocking known malicious domains and monitoring DNS traffic for gleeze[.]com subdomains can help cut off the campaign’s delivery infrastructure before a download occurs.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| IP Address | 193.42.11[.]108 | Attacker-controlled ScreenConnect C2 server |
| File Name | autorun.dll | Malicious DLL sideloaded via legitimate utility executable |
| File Name | vcredist_x64.dll | Second-stage DLL; packaged ScreenConnect installer |
| File Name | SimpleRunPE.exe | Dropper responsible for persistence, Defender exclusions, and process hollowing |
| File Name | vlc.exe | Disguised binary used in select infections (renamed mining dropper) |
| Domain | gleeze[.]com (subdomains) | Campaign-specific hosting infrastructure for malicious ZIP archives (via Dynu dynamic DNS) |
| Miner Tool | gminer | GPU cryptocurrency miner deployed as final payload |
| Miner Tool | lolMiner | GPU cryptocurrency miner deployed as final payload |
| Miner Tool | SRBMiner-MULTI | GPU cryptocurrency miner deployed as final payload |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
