GPU mining malware spreads via SEO poisoning, AI chatbots

Recorded: May 27, 2026, 10 p.m.

Original

News

Featured
Latest

Glassworm botnet disrupted after resilient C2 infrastructure takedown

CISA gives feds 4 days to patch actively exploited cPanel plugin flaw

Windows 11 KB5089573 update released with performance improvements

Charter confirms data breach after ShinyHunters extortion threat

GPU mining malware spreads via SEO poisoning, AI chatbots

This CompTIA IT learning path is only $40 through 6/14

Can you enforce strong Active Directory password rules without frustrating users?

Glassworm botnet disrupted after resilient C2 infrastructure takedown

Tutorials

Latest
Popular

How to access the Dark Web using the Tor Browser

How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11

How to use the Windows Registry Editor

How to backup and restore the Windows Registry

How to start Windows in Safe Mode

How to remove a Trojan, Virus, Worm, or other Malware

How to show hidden files in Windows 7

How to see hidden files in Windows

Webinars
Downloads

Latest
Most Downloaded

Qualys BrowserCheck

STOPDecrypter

AuroraDecrypter

FilesLockerDecrypter

AdwCleaner

ComboFix

RKill

Junkware Removal Tool

Deals

Categories

eLearning

IT Certification Courses

Gear + Gadgets

Security

VPNs

Popular

Best VPNs

How to change IP address

Access the dark web safely

Best VPN for YouTube

Forums
More

Virus Removal Guides
Startup Database
Uninstall Database
Glossary
Send us a Tip!
Welcome Guide

HomeNewsSecurityGPU mining malware spreads via SEO poisoning, AI chatbots

GPU mining malware spreads via SEO poisoning, AI chatbots

By Ionut Ilascu

May 27, 2026
05:31 PM
0

Threat actors are targeting systems with high-performance computers in an ongoing cryptojacking campaign spread through a coordinated SEO poisoning operation that also manipulated AI chatbot recommendations.
The compromise occurs through malicious download pages for utility software typically installed by owners of powerful systems, like CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, and PDFgear.
Once a system is infected, the attacker gets persistent access on the machine by deploying the legitimate remote management ScreenConnect tool, which could later be used to install additional malware.
Microsoft researchers discovered the campaign and determined that the attack begins when users look for one of the aforementioned utilities and are presented with malicious links boosted in search rankings through SEO poisoning.
However, some reports in April indicated that users were directed to the malicious domains after interacting with AI-based assistants.
“In these cases, users querying AI chatbots for software download recommendations were presented with links to attacker‑controlled domains within generated responses,” Microsoft says.

Claim that ChatGPT directed to malicious URL for downloading CrystalDiskMarksource: Microsoft
The malicious download is a ZIP archive hosted on a subdomain at gleeze[.]com, a domain that has been flagged in the past for being associated with phishing websites.
According to Microsoft, the archive includes the legitimate executable for the legitimate utility as well as a malicious DLL that is automatically loaded when launching the benign binary.
The researchers found that the DLL uses msiexec.exe to install vcredist_x64.dll, which is a package installer for the ScreenConnect remote access tool.
After establishing a ScreenConnect session with the compromised client, the threat actor drops another binary named SimpleRunPE.exe that copies itself as RuntimeHost.exe into a folder hidden in Explorer.
The purpose of the executable is to establish “six persistence mechanisms across multiple Windows autostart locations.”

Malware establishing six persistence mechanismsource: Microsoft
In some cases, the binary is dropped via a malicious PowerShell script and is saved locally as vlc.exe, in an attempt to impersonate the executable for the popular VideoLAN multimedia player.
Based on SimpleRunPE.exe’s Program Database (PDB) path, the researchers believe that it is a fork of a public repository for demonstrating the process hollowing technique.
The threat actor resorted to this technique for stealth and tried process hollowing into a legitimate .NET binary signed by Microsoft: InstallUtil.exe, RegAsm.exe, RegSvcs.exe, MSBuild.exe, AppLaunch.exe, AddInProcess.exe, aspnet_compiler.exe.
To the same purpose, the malicious binary also invokes PowerShell to add its path and process to the exclusion list in Microsoft Defender.
Additionally, the malware checks the environment for virtual machines and a set of 40 process names corresponding to analysis tools. If any are identified, the malware terminates its execution.
After completing the process hollowing stage and the malware runs inside a Microsoft-signed Windows utility, one of three mining modules is downloaded and executed.
The supported mining programs are gminer, lolMiner, and SRBMiner-MULTI, all of them designed to use graphics processing units (GPUs).
Microsoft says that this cryptocurrency campaign stands out for its “targeting and monetization strategy engineered from the ground up to maximize GPU mining yield per compromised device,” instead of focusing on volume.
Apart from the defenses provided by Microsoft’s tools, organizations can protect their environments using the indicators of compromise included in the report.

The Validation Gap: Automated Pentesting Answers One Question. You Need Six.

Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.This guide covers the 6 surfaces you actually need to validate.
Download Now

Related Articles:
Android 17 to expand banking scam call and privacy protectionsHackers exploit RCE flaws in Qinglong task scheduler for cryptominingIs a $30,000 GPU Good at Password Cracking?New GPUBreach attack enables system takeover via GPU rowhammer

CryptoMiner
GPU
Process Hollowing
ScreenConnect
SEO Poisoning
Spoofing

Ionut Ilascu
Ionut Ilascu is a technology writer with a focus on all things cybersecurity. The topics he writes about include malware, vulnerabilities, exploits and security defenses, as well as research and innovation in information security. His work has been published by Bitdefender, Netgear, The Security Ledger and Softpedia.

Popular Stories

FBI warns of Kali365 phishing service targeting Microsoft 365 accounts

Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaign

Anthropic’s restricted Claude Mythos model may be coming to Claude Code

Sponsor Posts

AI is a data-breach time bomb: Read the new report

Protect Your Business from Ecommerce Fraud

33% Rise in Healthcare Credential Theft in 2025: What you need to know

Overdue a password health-check? Audit your Active Directory for free

Upcoming Webinar

Main Sections

News
Webinars
VPN Buyer Guides
SysAdmin Software Guides
Downloads
Virus Removal Guides
Tutorials
Startup Database
Uninstall Database
Glossary

Community

Forums
Forum Rules
Chat

Useful Resources

Welcome Guide
Sitemap

Company

About BleepingComputer
Contact Us
Send us a Tip!
Advertising
Write for BleepingComputer
Social & Feeds
Changelog

Username

Password

Remember Me

Not a member yet? Register Now

Reporter

Help us understand the problem. What is going on with this comment?

Spam

Abusive or Harmful

Inappropriate content

Strong language

Other

Read our posting guidelinese to learn what content is prohibited.

Submitting...
SUBMIT

Threat actors are leveraging a coordinated operation involving SEO poisoning and artificial intelligence chatbots to propagate GPU mining malware targeting systems equipped with high-performance computing capabilities. The initial compromise occurs when users search for or interact with AI assistants requesting utility software downloads, and malicious links, boosted by SEO poisoning, direct users to attacker-controlled domains. These malicious download pages typically host legitimate utility software, such as CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, and others, while embedding a malicious Dynamic Link Library (DLL). Upon execution of the benign binary, this malicious DLL leverages msiexec.exe to install vcredist_x64.dll, a package installer for the ScreenConnect remote access tool, thereby establishing an initial foothold on the compromised system.

Following the initial access, the threat actor deploys a secondary binary named SimpleRunPE.exe, which operates to achieve persistence across multiple Windows autostart locations by copying itself under the name RuntimeHost.exe. Researchers found that SimpleRunPE.exe exhibits characteristics of a process hollowing technique, utilizing a fork of a public repository for demonstration purposes. The malware attempts to achieve stealth by performing process hollowing into legitimate Microsoft-signed .NET binaries, including InstallUtil.exe, RegAsm.exe, RegSvcs.exe, MSBuild.exe, AppLaunch.exe, AddInProcess.exe, and aspnet_compiler.exe. Furthermore, the malicious binary invokes PowerShell to modify the exclusion list within Microsoft Defender, ensuring operational stealth.

The malware employs anti-analysis measures by checking the system environment for virtual machines and a specific set of forty process names corresponding to common analysis tools, terminating its execution if such environments are detected. After successfully executing the process hollowing stage, the malware downloads and executes one of three mining modules designed to exploit the system's graphics processing units (GPUs): gminer, lolMiner, or SRBMiner-MULTI. The campaign’s monetization strategy is noted for being engineered to maximize the GPU mining yield per compromised device, rather than simply maximizing the volume of mined cryptocurrency. This entire mechanism demonstrates a sophisticated approach to exploiting user behavior and system vulnerabilities for stealthy, high-yield cryptojacking.