Attackers are tricking people looking for popular PC utilities into installing malware that secretly uses their graphics cards to mine cryptocurrency. Microsoft says the campaign uses search-engine optimization (SEO) poisoning and, in some cases, attacker-controlled links surfaced in AI chatbot responses for tools such as CrystalDiskInfo, HWMonitor, FurMark, K-Lite Codec Pack, PDFgear, and Display Driver Uninstaller. The fake downloads bundle a legitimate program with a malicious dynamic-link library (DLL), install ScreenConnect for remote access, add multiple Windows persistence mechanisms, evade Microsoft Defender, and then deploy GPU miners including gminer, lolMiner, and SRBMiner-MULTI.
Why it matters: This campaign targets owners of powerful Windows systems and can leave victims with both hijacked hardware and a remote-access backdoor for follow-on attacks. Users and defenders should avoid downloading software from AI-generated or unfamiliar links, verify vendor domains, and hunt for the listed indicators of compromise and unauthorized ScreenConnect installs.
SecurityWeek News
2026.06.05
91% relevant
It summarizes Microsoft’s findings that attackers are abusing both SEO poisoning and AI chatbot recommendations to deliver fake utilities, then using ScreenConnect and process hollowing to deploy GPU-focused cryptominers.
Ionut Ilascu
2026.05.27
100% relevant
This article establishes a distinct Microsoft-documented malware campaign centered on SEO poisoning and AI chatbot link manipulation to deliver GPU-mining malware and persistent remote access.
← Back to all stories