Skip to main content
Emerging ThreatsMalware & Ransomware

GPU mining malware spreads via SEO poisoning and AI chatbot manipulation

Person working at desk with laptop and phone, surrounded by papers, in a home office with a city view through the window.

“In these cases, users querying AI chatbots for software download recommendations were presented with links to attacker‑controlled domains within generated responses,” Microsoft says.

How the attack starts: SEO poisoning and manipulated AI recommendations

Microsoft researchers say the campaign begins when users search for commonly installed utilities for high‑performance systems. Threat actors have used coordinated SEO poisoning to boost malicious download pages in search results for tools such as CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, and PDFgear. Microsoft also cites reports from April that users interacting with AI‑based assistants were shown links to attacker‑controlled domains within generated responses.

What the malicious package contains and how it runs

The malicious installer is delivered as a ZIP archive hosted on a subdomain at gleeze[.]com — a domain Microsoft notes has been previously flagged for use by phishing sites. The archive bundles the legitimate executable for the intended utility together with a malicious DLL that is automatically loaded when the benign binary is launched.

According to Microsoft, the DLL invokes msiexec.exe to install vcredist_x64.dll, which acts as a package installer for the ScreenConnect remote access tool. Deploying ScreenConnect gives the attacker a persistent remote management channel that could later be used to install additional malware.

Persistence and stealth: ScreenConnect, SimpleRunPE.exe, and process hollowing

After the ScreenConnect session is established, the actor drops a binary named SimpleRunPE.exe. The binary copies itself as RuntimeHost.exe into a folder hidden from Explorer and, Microsoft reports, establishes “six persistence mechanisms across multiple Windows autostart locations.” In some cases, the actor uses a malicious PowerShell script to drop the binary as vlc.exe in an attempt to impersonate the VideoLAN player.

Microsoft researchers examined SimpleRunPE.exe’s Program Database (PDB) path and believe the sample is a fork of a public repository used to demonstrate the process hollowing technique. The attackers use process hollowing to inject into legitimate Microsoft‑signed .NET utilities — InstallUtil.exe, RegAsm.exe, RegSvcs.exe, MSBuild.exe, AppLaunch.exe, AddInProcess.exe, and aspnet_compiler.exe — to run malicious code under the cover of trusted binaries.

To evade detection, the malware invokes PowerShell to add its path and process to Microsoft Defender exclusion lists. It also checks the environment for virtual machines and compares running processes against a list of 40 process names corresponding to analysis tools; if any of those indicators are present, the malware terminates execution.

GPU mining payloads and a focused monetization strategy

Once the hollowed process runs, the actor downloads one of three GPU mining modules: gminer, lolMiner, or SRBMiner‑MULTI. Microsoft emphasizes that this campaign is notable not for volume but for a monetization strategy “engineered from the ground up to maximize GPU mining yield per compromised device.” That focus on maximizing per‑device GPU output distinguishes the operation from broader, volume‑oriented cryptojacking efforts.

What this means for security teams, procurement leaders, and end users

  • Security teams: Microsoft highlights that organizations can use the indicators of compromise included in the report alongside the protections already provided by Microsoft tools. The chain — SEO‑poisoned pages, archives on gleeze[.]com, a malicious DLL that loads beneath a legitimate binary, and ScreenConnect installation — provides concrete signals for detection and hunting.
  • Procurement and IT leaders: Owners of high‑performance systems who install utilities such as CrystalDiskInfo, HWMonitor, FurMark, Display Driver Uninstaller, K‑Lite Codec Pack, and PDFgear should be aware that malicious download pages are masquerading as legitimate installers and that supply‑chain or distribution points can be abused to deliver dual‑packed archives.
  • End users and administrators: Microsoft’s finding that AI chatbots sometimes returned attacker‑controlled links underscores that both search results and assistant recommendations can be manipulated. Users searching for the named utilities may encounter poisoned links or AI responses that lead to infected installers.

Microsoft’s analysis ties a multi‑stage infection chain — from SEO and AI manipulation to DLL side‑loading, ScreenConnect installation, and process‑hollowing persistence — to a narrowly tailored goal: extract maximum GPU mining value from each compromised host. The report includes indicators of compromise organizations can use to harden detection and response; Microsoft’s defensive tooling is also cited as a line of protection.

Read the original Microsoft‑based report at Bleeping Computer: https://www.bleepingcomputer.com/news/security/gpu-mining-malware-spreads-via-seo-poisoning-ai-chatbots/