Back
Technology

Cryptojacking Campaign Uses SEO Poisoning and AI Chatbot Manipulation to Distribute GPU Mining Malware

Generated on: Last updated: 1 sources
View source

A sophisticated campaign observed since early 2026 is combining SEO poisoning and AI chatbot manipulation to deliver GPU-mining malware.

The attack chain begins with users visiting malicious websites that appear legitimate via SEO poisoning or AI chatbot recommendations. These sites prompt downloads of ZIP archives containing a legitimate utility executable and a malicious DLL (autorun.dll). DLL sideloading executes the malware, which installs ScreenConnect for persistent access.

Technical Analysis

Further payloads are deployed via a custom dropper using the SimpleRunPE process hollowing technique. This injects mining code into signed Microsoft .NET binaries such as InstallUtil.exe and MSBuild.exe.

The mining component performs host reconnaissance, downloads mining binaries (gminer, lolMiner, SRBMiner-MULTI) on demand, and executes them only when the system is idle. It adds itself to Windows Defender exclusions and establishes persistence via scheduled tasks, registry keys, and startup folders.

Anti-analysis features include checks for virtual machines and debuggers. C2 communication uses encrypted WebSocket channels.

Observed Activity

Between April and June 2026, multiple security vendors and researchers observed infections from poisoned search results and AI chatbot recommendations. Victims reported high GPU usage and system slowdowns.

Infections were traced to domains including direct-download[.]gleeze[.]com, start-download[.]gleeze[.]com, and directdownload[.]icu.

Attackers used ScreenConnect for persistent access and updated payloads. Mining payloads connected to various mining pools.

Victimology

Targets include individual users and organizations with high-performance Windows systems equipped with discrete GPUs, such as PC gamers, IT professionals, and small to medium-sized enterprises. The campaign is global, with infections in North America, Europe, and Asia.

Mitigation

Recommended measures include:

  • Blocking identified IOCs
  • Monitoring for suspicious scheduled tasks and registry changes
  • Auditing use of remote management tools
  • User awareness training
  • Application allowlisting
  • Using endpoint detection solutions capable of detecting process hollowing and DLL sideloading

Incident responders should check for suspicious DLLs, scheduled tasks named "Windows System Health Monitor," and unauthorized ScreenConnect installations.