AI Chatbot Prompts Lead Users to Cryptojacking Malware Sites
▼ Summary
– Cybercriminals are using AI chatbot interactions and poisoned search results to direct users to malicious download sites in an active cryptojacking campaign targeting high-performance GPU owners.
– The campaign impersonates legitimate software like CrystalDiskInfo, HWMonitor, and Display Driver Uninstaller, with fake websites hosting malicious ZIP archives containing a DLL file for sideloading.
– Attackers gain persistent remote access via abused ScreenConnect deployments, which could later enable data theft, lateral movement, or ransomware.
– The final payload uses process hollowing to launch cryptocurrency miners under trusted Microsoft-signed binaries and monitors for diagnostic tools to terminate mining activity if detected.
– Microsoft recommends enabling cloud-delivered protection, attack surface reduction rules, and endpoint detection in block mode, while monitoring for unauthorized Defender exclusion changes.
Cybercriminals are actively weaponizing AI chatbot responses alongside poisoned search engine results to funnel users toward malicious download sites as part of an ongoing cryptojacking campaign, according to a new warning from Microsoft.
The operation impersonates widely trusted software tools, including CrystalDiskInfo, HWMonitor, Display Driver Uninstaller (DDU), FurMark, K-Lite Codec Pack, and PDFgear. Researchers noted that these brands were chosen with precision. Each application is commonly used by PC enthusiasts and hardware-focused individuals, exactly the demographic most likely to own a high-performance discrete GPU. That hardware makes GPU cryptocurrency mining economically worthwhile.
Rather than targeting large numbers of devices, the threat actor appears focused on compromising systems that offer higher mining value. Beyond crypto mining, the campaign grants attackers persistent remote access to infected machines through abused deployments of ScreenConnect, also known as ConnectWise Control. This legitimate remote management tool is widely used by IT administrators. Microsoft warned that such access could later enable data theft, lateral movement, or even ransomware activity.
The attack chain begins when users search for popular system utilities or hardware-monitoring software. Search engines display manipulated results that lead to attacker-controlled lookalike websites. In April 2026, Microsoft identified cases where users were directed to malicious sites through interactions with LLM-based chatbots instead of traditional search results. In those instances, users asking AI chatbots for software download recommendations received links to attacker-controlled domains embedded directly in the generated responses.
Analysis of VirusTotal scans tied to the domains revealed traffic metadata referencing chatbot interactions as a potential referral source. Microsoft noted that while this behavior is based on observed patterns and correlated data, it aligns with emerging techniques in AI search result poisoning, extending traditional SEO poisoning beyond conventional search engines.
Each counterfeit website presents a download button for what appears to be a legitimate utility. However, the download retrieves a malicious ZIP archive hosted on campaign-linked subdomains. Since March 2026, researchers have identified more than 150 domains tied to the operation.
The ZIP archive contains a legitimate executable for the spoofed utility alongside a malicious DLL file named autorun.dll. When launched, the program loads the DLL from the same folder through DLL sideloading, a technique that allows malicious code to execute through a trusted application while reducing suspicion and visible security warnings. Analysis uncovered nine different autorun.dll variants used across the campaign.
The malicious DLL then uses msiexec.exe to silently install another file, vcredist_x64.dll, disguised as a Visual C++ Redistributable package. This file acts as an installer for ScreenConnect. Once the ScreenConnect session is established, the attacker drops a binary named SimpleRunPE.exe directly via ScreenConnect’s file-transfer feature. After execution, SimpleRunPE.exe copies itself into a hidden installation folder under the name RuntimeHost.exe and modifies file attributes to hide the malware from default Windows Explorer views.
In some cases, attackers used a PowerShell script to download the payload from a remote server, save it locally as “vlc.exe,” create a scheduled task to launch it, and then delete the script to reduce forensic traces.
The final-stage payload communicates with attacker-controlled infrastructure, collects and transmits host information, and downloads cryptocurrency miners at runtime. Analysis showed support for three mining programs: gminer, lolMiner, and SRBMiner-MULTI. The operation abuses legitimate Windows and Microsoft . NET utilities during execution. Researchers detailed the use of process hollowing to launch mining payloads under trusted Microsoft-signed binaries, a technique where malicious code is injected into legitimate processes to conceal execution and evade detection.
The malware actively monitors for diagnostic and forensic utilities, including Windows Task Manager, Process Explorer, Process Hacker, and System Informer. If any of these tools are detected, mining activity is immediately terminated. The malware also recreates persistence artifacts, including Registry Run keys, and reconfigures Defender exclusions if they are removed.
Microsoft recommends enabling cloud-delivered protection, attack surface reduction rules, and endpoint detection and response protections in block mode. Organizations should also monitor for unauthorized Defender exclusion changes and suspicious remote management tool activity. Microsoft has published a full list of indicators of compromise (IOCs) associated with the campaign.
(Source: Help Net Security)