Microsoft Warns of GPU Cryptojacking Campaign Spread Through AI Chatbot Links

Microsoft researchers have uncovered an ongoing cryptojacking campaign targeting high-performance Windows PCs with powerful GPUs. The attackers focus on gaming systems, workstations, and enthusiast PCs to maximize cryptocurrency mining profits.

According to Microsoft, the campaign spreads through SEO poisoning and even manipulated AI chatbot recommendations that direct users to malicious software download pages.

Fake utility downloads target enthusiasts and power users

The attackers impersonate popular Windows utility apps often downloaded by gamers, overclockers, and PC enthusiasts. Victims searching for tools such as CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, and PDFgear may end up on fake download sites instead of official pages.

Microsoft says some malicious links also appeared in AI-generated chatbot responses when users asked for software download recommendations. Those responses reportedly directed users to attacker-controlled domains hosting infected downloads.

The malicious files arrive as ZIP archives hosted on a subdomain tied to gleeze[.]com. Inside the archive, victims receive the legitimate software installer alongside a malicious DLL file.

When the real application launches, Windows automatically loads the malicious DLL, allowing the infection chain to begin silently in the background.

ScreenConnect used for persistent remote access

Microsoft says the malware abuses msiexec.exe to install a file named vcredist_x64.dll. Despite the name, the file actually deploys the legitimate remote access tool ScreenConnect.

Once installed, ScreenConnect gives attackers persistent remote access to the infected system.

The attackers then deploy another binary called SimpleRunPE.exe, which copies itself as RuntimeHost.exe into a hidden folder designed to stay out of sight in File Explorer.

Microsoft says the malware establishes six separate persistence mechanisms across Windows autostart locations to ensure it survives reboots and removal attempts.

In some cases, the payload arrives through PowerShell and disguises itself as vlc.exe to imitate the VLC media player.

Malware hides inside trusted Microsoft processes

The campaign uses several stealth techniques to avoid detection.

Microsoft says the malware appears to rely on process hollowing, a method that injects malicious code into legitimate Windows processes. The attackers specifically target Microsoft-signed .NET binaries such as InstallUtil.exe, RegAsm.exe, RegSvcs.exe, and MSBuild.exe.

The malware also uses PowerShell commands to add itself to Microsoft Defender exclusions, reducing the chance of detection by built-in Windows security protections.

Before activating, the malware checks whether it is running inside a virtual machine and searches for roughly 40 process names associated with security tools, malware analysis environments, and debugging software.

If those tools are detected, the malware stops running to avoid analysis.

Attackers prioritize powerful GPUs over mass infections

After successfully hiding inside trusted Windows processes, the malware downloads one of three cryptocurrency mining tools:

• gminer
• lolMiner
• SRBMiner-MULTI

Microsoft says the operation stands out because the attackers prioritize mining efficiency instead of targeting the largest number of victims possible.

Rather than infecting random low-powered systems, the campaign specifically hunts for PCs with strong GPUs capable of generating higher mining yields.

That approach makes gaming rigs, AI workstations, and creator PCs especially attractive targets.

Microsoft urges caution with AI recommendations and search results

Microsoft recommends downloading utilities only from official vendor websites and avoiding links from search ads, SEO-manipulated pages, or unverified AI chatbot responses.

The company also advises users to review indicators of compromise included in its security report and use modern endpoint protection tools capable of detecting process injection and suspicious PowerShell activity.

The warning comes during an increasingly tense period for Microsoft’s security ecosystem. Recently, Microsoft criticized the researcher behind the YellowKey exploit release and reportedly banned the researcher’s GitHub account. The company has also issued guidance about what will happen to Windows PCs that miss the upcoming Secure Boot certificate update deadline.

Via Bleeping Computer