An active cryptojacking campaign in which malicious download sites are surfaced not only through traditional search engine poisoning, but also through AI chatbot interactions.
Threat actors are luring users to attacker-controlled lookalike download sites that impersonate trusted system utilities CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, and PDFgear specifically to target owners of high-performance GPUs.
Rather than pursuing broad-scale infections, this operation appears optimized to compromise fewer machines that yield higher GPU-mining returns, while also establishing persistent remote access via abused ScreenConnect deployments that could be repurposed for data theft, lateral movement, or ransomware.
The attack chain begins when users search for common utility or hardware-monitoring tools. SEO poisoning pushes manipulated results pointing to malicious domains.
April 2026 Microsoft also observed instances where AI chatbots returned links to these attacker-controlled sites, effectively extending search-result manipulation into LLM-assisted interactions.
Analysis of VirusTotal metadata correlated some domain traffic to chatbot referrals, illustrating how AI-generated responses can be abused to increase malicious link visibility and social-engineer technically proficient users who seek GPU-oriented utilities.
Each malicious site offers a download that is a ZIP archive hosted on campaign-specific subdomains of gleeze.com an infrastructure tied to a dynamic DNS provider frequently abused by threat actors.
Microsoft Defender Experts have uncovered an active cryptojacking campaign that blends classic SEO poisoning with a newer delivery vector.
The archive contains the legitimate executable for the spoofed utility and a malicious DLL named autorun.dll. When the user runs the utility, DLL sideloading causes the legitimate binary to load autorun.dll without any visible anomaly.
Hackers Use Fake Utility Downloads
The autorun DLL then uses msiexec.exe to silently install a second payload masquerading as a Visual C++ redistributable (vcredist_x64.dll), which in reality deploys a ScreenConnect client configured to connect to attacker-controlled servers.
ScreenConnect (ConnectWise Control) is a legitimate remote management tool; in this campaign it is abused to provide persistent, hidden remote access. Using ScreenConnect’s file-transfer feature, operators drop a SimpleRunPE binary that appears to be a fork of a public proof-of-concept process-hollowing project.
SimpleRunPE installs as RuntimeHost.exe in a hidden folder (campaign identifier D3F4E2A1), sets system/hidden attributes, and configures multiple persistence mechanisms three scheduled tasks, two registry Run keys, and a Startup shortcut to recover and maintain execution.
The dropper launches the chosen target binary in a suspended state and uses API calls such as WriteProcessMemory, SetThreadContext, ResumeThread to hollow the process.
For defense evasion the actor employs process hollowing into Microsoft-signed .NET utilities (InstallUtil.exe, RegAsm.exe, MSBuild.exe, and others) and registers Defender exclusions for paths and processes commonly associated with mining.
The malware performs extensive anti-analysis checks (VM detection, analyst-tool name checks) and leverages certificate pinning for its WebSocket C2 at wss[:]//minemine.gleeze[.]com:8443/ws.
Mining functionality is modular: the loader fetches GPU miners (gminer, lolMiner, SRBMiner-MULTI) at runtime and respects on-host GPU activity gates, pausing mining when user activity or GPU usage indicates interactive use minimizing user detection and maximizing profitability.
Microsoft’s telemetry ties the campaign to multiple IPs presenting the same TLS certificate and to over 150 malicious domains since March 2026.
Customers with cloud-delivered protection, EDR in block mode, and Attack Surface Reduction rules active saw successful mitigations.
Recommended mitigations include enabling cloud-delivered protection, turning on network protection and web protection, enforcing SmartScreen-capable browsers, and applying the ASR rule to block unknown executables.
Organizations should prioritize these controls and educate users to avoid downloads from unverified sources and to treat AI-provided links with the same skepticism as search results.
IOCs
| Indicator | Type | Description |
| direct-download[.]gleeze[.]com start-download[.]gleeze[.]com direct-downloads[.]giize.com free-download[.]giize.com | Domain | Hosts malicious ZIP files |
| directdownload[.]icu | Domain | Host that ScreenConnect client connects to |
| 16562974deec80e41ef57a71a6de8c03ceb393005fb1432f8d9d82c61294ef8c | SHA256 | autorun.dll loaded by legit EXE via DLL sideloading |
| 1b2555b09ac62164638f47c8272beb6b0f97186e37d3a54cb84c723ff7a2eee5 | SHA256 | autorun.dll loaded by legit EXE via DLL sideloading |
| 062bb28765fbaa11f8cc341fa16e2c7f942a122d929cb41f4a0f755b4429f246 | SHA256 | autorun.dll loaded by legit EXE via DLL sideloading |
| c7425fbe6c3a4937934215c54027d4b67202d12ab490682fae03498870d66d06 | SHA256 | autorun.dll loaded by legit EXE via DLL sideloading |
| a460d00ef93c8ce70d32e48e55781af66a53328fc2dde45519be196c265de074 | SHA256 | autorun.dll loaded by legit EXE via DLL sideloading |
| db2d33c4e6e4a5c2263b56e8303c343305a94dde1fc2968304ba260acbbd9f9f | SHA256 | autorun.dll loaded by legit EXE via DLL sideloading |
| cf3f8160eb5a5580e0c35054847e3ac4d01e9fe74fab8bc12bf6e8a40bf696b2 | SHA256 | autorun.dll loaded by legit EXE via DLL sideloading |
| 69077fcf940fc5852fb32beed15636756ebc04ac971b7ed71d36251e7ea70a20 | SHA256 | autorun.dll loaded by legit EXE via DLL sideloading |
| 2ee93ccbcd49ed94c65dcf52e7dcb8f0fa0a443ca24c0e0c7f79152efba657b7 | SHA256 | autorun.dll loaded by legit EXE via DLL sideloading |
| 193.42.11[.]108 | IP address | ScreenConnect client communicates to this attacker controlled IP |
| 9ff07c9fafa9c03fdf69e4abf6806aa7c938b5480e7e258f227db0719ecd6386 | SHA256 | SimpleRunPE.exe binary transferred by the attacker to the device during established ScreenConnect session |
| 7035c2abeb617e828dfda1b119b8544fa9ae15a1d263d18bc5506acaf381f496 | SHA256 | SimpleRunPE.exe binary transferred by the attacker to the device during established ScreenConnect session |
| e021662a652ba95c8778b991056696ab3c9b0f60d5e23b1e6cf73c3847db6610 | SHA256 | ScreenConnect file masquerading as a DLL |
| wss[:]//minemine.gleeze[.]com:8443/ws | URL | C2 from hollowed binary |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
