Microsoft warns GPU mining malware is being spread to users through SEO poisoning and AI chatbots — cryptojacking campaign targets gamers and high-end PC users with downloads disguised as popular PC utilities

At a glance:

• Attackers use SEO poisoning and AI‑chatbot suggestions to deliver GPU‑mining malware disguised as trusted utilities.
• Malware hijacks high‑end GPUs, installs legitimate remote‑access software, and runs miners such as lolMiner, gminer and SRBMiner‑MULTI.
• Microsoft Defender reports over 150 malicious domains, many on gleeze.com subdomains, active since March 2026.

What happened

Microsoft Defender Experts and the Microsoft Defender Security Research Team released a detailed threat report on Tuesday describing a sophisticated cryptojacking operation. The campaign targets users who own powerful discrete GPUs – gamers, overclockers, AI researchers and hardware enthusiasts – by serving malicious ZIP archives that appear to be popular PC utilities. When victims search for these utilities on conventional search engines, or even ask large‑language‑model (LLM) chatbots for download recommendations, they are redirected to attacker‑controlled pages.

The malicious payloads masquerade as well‑known tools such as CrystalDiskInfo, HWMonitor, Display Driver Uninstaller (DDU), FurMark, K‑Lite Codec Pack, and PDFgear. The report notes that more than 150 domains have been used, many hosted on subdomains of gleeze.com, a service that leverages Dynu dynamic DNS – a pattern seen in prior phishing and malware campaigns.

How the attack works

The infection chain is deceptively simple. Victims download a ZIP file that contains the legitimate utility executable alongside a malicious DLL named autorun.dll. Windows automatically loads the DLL from the same folder via DLL sideloading, a well‑known abuse technique that requires no exploit and leaves little forensic trace.

Once the DLL is loaded, the malware installs the legitimate remote‑management platform ScreenConnect (also known as ConnectWise Control) for persistent access. It then drops a binary called SimpleRunPE.exe, believed to be derived from an open‑source GitHub proof‑of‑concept for process hollowing. The malicious code copies itself to hidden locations as RuntimeHost.exe, creates scheduled tasks and startup entries, and repeatedly adds Microsoft Defender exclusions to stay under the radar.

AI chatbot involvement

A novel element of this campaign is the use of AI‑generated software recommendations. Microsoft observed that, in some cases, users who asked LLM‑based assistants for utility download links received responses containing attacker‑controlled URLs. The company stresses that this is an illustrative example and does not imply a systemic flaw in any particular AI service, but it highlights a new attack surface where AI‑assisted search‑poisoning can funnel victims to malicious sites.

Targeted users and utilities

The threat actors focus on systems with high‑performance GPUs because they can be repurposed for profitable cryptocurrency mining. After establishing foothold, the malware conducts extensive reconnaissance – checking GPU model, CPU specs, installed AV, memory configuration, and current system activity – before dynamically downloading the most suitable miner. The miners observed in the wild include:

• lolMiner
• gminer
• SRBMiner‑MULTI

To avoid detection by performance‑conscious users, the malware monitors GPU utilization, idle time, gaming sessions and streaming workloads, shutting down mining whenever heavy GPU activity is detected. This reduces obvious symptoms such as frame‑rate drops or overheating.

Defender response and mitigation

Microsoft’s analysis revealed six persistence mechanisms, automatic addition of Defender exclusions, and anti‑analysis checks that terminate the malware if virtual‑machine artifacts, debugging tools or forensic utilities (e.g., Wireshark, ProcMon, x64dbg, dnSpy, IDA, Ghidra) are detected. The report recommends users download utilities only from official vendor sites or verified mirrors, verify checksums where available, and avoid following AI‑generated download links.

Defender also flagged the malicious domains and incorporated indicators of compromise (IOCs) into its threat‑intelligence feeds. Enterprises are urged to monitor for the presence of autorun.dll, RuntimeHost.exe, and unexpected ScreenConnect installations, and to enforce application‑allow‑list policies for legitimate utilities.

What to watch next

As AI assistants become more integrated into daily workflows, attackers may increasingly weaponize LLM output to amplify SEO poisoning campaigns. Security teams should anticipate a rise in AI‑assisted lure techniques and consider augmenting web‑filtering solutions with AI‑aware threat feeds. Meanwhile, the cryptojacking ecosystem is likely to evolve, with miners adapting to newer GPU architectures and remote‑access tools being repurposed for stealthy payload delivery.