Microsoft said on Tuesday that it has blocked an active cryptojacking campaign that used AI chatbot responses to direct users to malicious download sites posing as system utilities, with more than 150 domains identified in the operation.
KEY FACTS
- Delivery method Users searching for software were steered to attacker-controlled sites through search poisoning and AI chatbot recommendations.
- Lure The sites impersonated tools such as CrystalDiskInfo, HWMonitor, FurMark, K-Lite Codec Pack and PDFgear.
- Infrastructure The downloads came from campaign-specific subdomains of gleeze[.]com and more than 150 malicious domains were identified.
- Payload The campaign installed ScreenConnect, then deployed mining software including gminer, lolMiner and SRBMiner-MULTI.
- Defense The malware checked for analysis tools and removed itself if task manager or forensic utilities were detected.
A technical analysis by Microsoft said the activity targeted users who were likely to have high-performance GPUs, suggesting the operators were focusing on systems with stronger mining value rather than broad infection.
The report said the attack chain began with a prominent download button that fetched a ZIP archive containing a legitimate executable and a rogue DLL. When launched, the DLL installed a second malicious file and set up ScreenConnect, which then tried to contact an attacker-controlled server.
Once established, the session was used to run a payload that created persistence through Registry Run keys and scheduled tasks, added Microsoft Defender exclusions and launched the mining code through process hollowing under a trusted Microsoft-signed binary. In some cases, a PowerShell script was used instead to fetch the payload, save it as vlc.exe and create a scheduled task before deleting itself.
The disclosure also said the campaign watched for security and analysis tools and would terminate the miner if it detected Task Manager, Process Hacker, Process Explorer or System Informer. Microsoft said the activity was detected and blocked.
WHY IT MATTERS
The campaign shows how attackers are adapting trusted software recommendations and AI-generated results to reach users who may not notice a fake download page. It also shows that cryptojacking operations can be paired with remote access tools, creating a path for broader compromise beyond mining alone.