The Microsoft Defender Experts and Microsoft Defender Security Research teams have published a report on an active cryptojacking campaign in which attackers are using a fundamentally new delivery vector: AI chatbot responses to user queries about downloading software. The campaign deliberately targets systems with high-performance GPUs to maximize mining profits and, beyond financial motivation, establishes persistent remote access via ScreenConnect, opening the way to data theft, lateral movement, and ransomware deployment. Microsoft stated that it has detected and blocked activity associated with this campaign.
Delivery evolution: from SEO poisoning to AI chatbots
Initially, the campaign relied on classic search result poisoning (SEO poisoning): users searching for popular system utilities — CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, and PDFgear — were led to malicious sites masquerading as download pages for these programs. The choice of these particular utilities is no coincidence: they are all associated with users who own powerful hardware, which increases the value of each compromised device for mining.
However, in April 2026, Microsoft observed a qualitative shift. Users began reaching malicious domains not via search engines, but through interactions with tools based on large language models (LLMs). According to Microsoft, “users asking AI chatbots for software download recommendations received links to attacker-controlled domains in the generated responses.” Microsoft clarifies that this conclusion is based on observed patterns and correlated data sources and is consistent with emerging techniques for poisoning AI search results—an extension of traditional SEO poisoning beyond classic search engines.
Technical attack chain
The campaign infrastructure includes more than 150 malicious domains. Each site contains a download button that retrieves a ZIP archive from a subdomain of gleeze[.]com, which is hosted on infrastructure associated with the Dynu dynamic DNS provider.
DLL sideloading and ScreenConnect installation
The downloaded ZIP archive contains a legitimate executable and a malicious library, autorun.dll, which is loaded when the main binary is run (DLL sideloading technique). This library installs a second malicious DLL — vcredist_x64.dll — via msiexec.exe. The file is a packed ScreenConnect installer.
After installation, the ScreenConnect client continuously attempts to contact the attackers’ server at 193.42.11[.]108. Over the established session, the SimpleRunPE.exe executable is delivered.
Persistence and evasion
SimpleRunPE.exe performs a range of actions for persistence and concealment:
- Creates entries in Registry Run keys and scheduled tasks
- Configures exclusions in Microsoft Defender
- Performs checks for the presence of analysis tools
- Uses process hollowing to run mining code under a trusted Microsoft-signed binary
In some cases, instead of delivering files via ScreenConnect, a PowerShell script is used that downloads a binary from a remote drive, saves it locally as vlc.exe, creates a scheduled task to run it, and then deletes itself.
Mining and self-protection
The binary injected via process hollowing connects to the command-and-control server, sends detailed host information, downloads a suitable miner archive, and runs it. Three mining programs are supported: gminer, lolMiner, and SRBMiner-MULTI.
The malware actively counters detection: when it detects running monitoring processes — taskmgr.exe, processhacker.exe, processhacker2.exe, procexp.exe, procexp64.exe, systeminformer.exe — the miner immediately terminates. In addition, the binary recreates persistence artifacts and reconfigures Defender exclusions if they are removed, ensuring a resilient presence in the system.
Indicators of compromise
- Domain: gleeze[.]com (campaign-specific subdomains)
- C2 IP address: 193.42.11[.]108 (ScreenConnect server)
- Files: autorun.dll, vcredist_x64.dll, SimpleRunPE.exe
Context: Microsoft’s series of reports on sophisticated attacks
The publication of this report is part of a series of Microsoft investigations from May 2026. On May 22, the company described a multi-stage attack in which an unknown attacker compromised an F5 BIG-IP firewall, used trust relationships to move to an internal Linux host, and then attacked a vulnerable Atlassian Confluence server. The incident involved Kerberos relay attacks and exploitation of CVE-2025-33073, and the attacker maintained access via SSH with a privileged account without explicit persistence mechanisms—highlighting the risks associated with excessive privileges.
Earlier, on May 12, Microsoft disclosed an incident in which attackers abused trust relationships with a third-party IT provider and legitimate management tools to run a stealthy campaign aimed at long-term access and credential theft. A common trend runs through all three reports: attackers are increasingly exploiting trust—in search engines, AI tools, third-party providers, and legitimate software.
Impact assessment
The campaign poses a high level of risk for several reasons. First, the target audience—owners of systems with powerful GPUs—includes gamers, machine learning professionals, video editors, and 3D designers. Second, cryptojacking is only the initial monetization stage: the installed ScreenConnect provides full remote access that can be used for data theft, lateral movement across the network, or ransomware deployment. Third, using AI chatbots as a delivery vector broadens the attack surface to users who deliberately avoid untrusted search results but trust language model answers.
Recommendations for defense
- Download software only from official sites: do not trust download links obtained from AI chatbots or search results—navigate to the developer’s site directly
- Monitor ScreenConnect: check for unauthorized ScreenConnect installations in your environment; block connections to 193.42.11[.]108 and gleeze[.]com domains
- Control DLL sideloading: configure Windows Defender Application Control (WDAC) or AppLocker policies to prevent loading of unsigned DLLs from user directories
- Audit Defender exclusions: regularly review the Microsoft Defender exclusions list—malware actively adds and restores them
- Monitor for process hollowing: track abnormal behavior of trusted Microsoft processes, especially unusual network activity or high GPU load
- Block dynamic DNS: consider blocking or closely monitoring traffic to dynamic DNS providers (Dynu and similar) at the network perimeter
The key takeaway from this campaign is the need to reassess the trust model for sources that recommend where to download software. Organizations should immediately check their infrastructure for indicators of compromise (ScreenConnect, connections to gleeze[.]com and 193.42.11[.]108), implement policies requiring software to be downloaded only from approved repositories, and include AI tools in their social engineering threat model alongside phishing emails and malicious ads.
