Poisoned AI Chatbots: A New Vector for High-Performance GPU Cryptojacking
Microsoft has identified an active campaign that manipulates AI chatbot recommendations to distribute GPU-based cryptojacking malware by abusing ScreenConnect…
On May 26, 2026, Microsoft disclosed an active cryptojacking campaign that utilizes AI chatbot recommendations as its initial infection vector. Rather than attacking the conversational platforms directly, threat actors manipulate them through AI search result poisoning—extending traditional SEO poisoning to a new layer of implicit user trust. The campaign specifically targets high-performance GPU systems, employing an infrastructure designed for multi-layered persistence, anti-analysis, and self-healing.
- Since April 2026, users querying AI chatbots for software recommendations have received links to attacker-controlled domains within the generated responses.
- The campaign impersonates legitimate utilities—including CrystalDiskInfo, HWMonitor, FurMark, Display Driver Uninstaller, K-Lite Codec Pack, and PDFgear—to attract users with discrete GPUs.
- Infection is achieved via DLL sideloading in legitimate executables, followed by the deployment of ScreenConnect for persistent remote access and process hollowing into Microsoft-signed binaries.
- The malware implements six distinct persistence mechanisms and self-heals Microsoft Defender exclusions: three scheduled tasks, two registry Run keys, and a shortcut in the Startup folder.
The Chatbot as Puppeteer: From Poisoning to Malicious Domains
The entry vector represents the most significant evolution of this campaign. According to Microsoft, "users querying AI chatbots for software download recommendations received links to attacker-controlled domains within the generated responses." This pattern, documented by Microsoft Defender telemetry and corroborated by VirusTotal metadata indicating referral context from chatbot interactions, shifts the attack surface from traditional Search Engine Results Pages (SERPs) to conversational interfaces.
The campaign leverages over 150 malicious domains hosted on Dynu infrastructure, according to Microsoft data. Distribution occurs via ZIP archives containing a legitimate executable paired with a rogue DLL named 'autorun.dll'. Upon launching the executable, the DLL sideloading triggers the compromise chain without requiring software vulnerability exploits. Microsoft has identified nine distinct variants of autorun.dll in the wild, indicating active development and evasion testing.
«This emerging delivery technique extends social engineering beyond conventional search results and increases the visibility of malicious software recommendations» — Microsoft Defender Experts and Microsoft Defender Security Research Team
ScreenConnect and .NET: The Persistence Infrastructure Behind the Mining
Once sideloaded, the DLL installs 'vcredist_x64.dll'—which is actually a ScreenConnect installer package—via msiexec.exe. The ScreenConnect client contacts the server at 193.42.11[.]108 using the service parameter h=directdownload.icu. This step establishes persistent remote access alongside the mining operation, creating potential for future data theft, lateral movement, or ransomware deployment, as noted by Microsoft.
The miner payload is activated through SimpleRunPE.exe, a process hollowing tool. Its embedded PDB path—G:\My Drive\works\test projects\Simple-RunPE-Process-Hollowing-RUNPE\SimpleRunPE\obj\Release\SimpleRunPE.pdb—matches the public GitHub repository Watermwo/Simple-RunPE-Process-Hollowing. The code injects the miner into Microsoft-signed binaries: InstallUtil.exe, RegAsm.exe, and MSBuild.exe, according to Rescana's analysis. This tactic involves the use of legitimate .NET utilities to host a process replaced in memory.
The campaign supports three miner programs—gminer, lolMiner, and SRBMiner-MULTI—selected for GPU compatibility and hardware adaptability. The malware implements anti-analysis by terminating miner processes if it detects Process Hacker or Process Explorer running. A recurring campaign identifier—D3F4E2A1—appears as both a mutex name and within Microsoft Defender exclusions, according to Microsoft.
Six Persistence Mechanisms and Active Self-Healing
The campaign is characterized by redundant persistence: three scheduled tasks, two registry Run keys, and one shortcut in the Startup folder. This multi-layered architecture ensures the compromise survives partial remediation efforts. Furthermore, the malware "recreates persistence artifacts" and "reconfigures Microsoft Defender exclusions" if they are detected or removed, according to Microsoft.
An alternative variant documented by Microsoft uses PowerShell to download a binary from a remote drive, saves it as 'vlc.exe', creates a one-time scheduled task, and then self-deletes. This path reduces the on-disk footprint and challenges post-infection forensic analysis.
Rescana provides additional infrastructure details: a C2 WebSocket channel at wss://minemine.gleeze[.]com:8443/ws, with infections confirmed by Microsoft Defender telemetry, VirusTotal, and community honeypots. The extended activity timeline from April to June 2026 suggests continuous operations.
Targeted Selection and Monetization Logic
This campaign does not chase infection volume. Microsoft is explicit: the focus is on "compromising systems with higher mining value," with a "deliberate" selection of enthusiast PCs equipped with discrete GPUs. The impersonated utilities—CrystalDiskInfo, HWMonitor, FurMark, and Display Driver Uninstaller—are tools that users with high-performance hardware regularly install for monitoring, stress testing, and driver maintenance.
This targeting logic inverts the traditional cryptojacking model. Instead of maximizing the number of compromised endpoints, the actors maximize the yield per device. GPU mining on enthusiast hardware—such as the NVIDIA RTX 40 or 50 series and AMD RX 7000—produces hash rates orders of magnitude higher than generic CPUs or corporate workstations lacking dedicated graphics cards.
Mitigation and Response
Recommendations are derived directly from the TTPs documented by Microsoft and Rescana:
- Verify the source of software links even when recommended by AI chatbots; campaign domains impersonate legitimate names but reside on Dynu infrastructure with recognizable naming patterns.
- Monitor msiexec.exe execution for undocumented parameters, particularly when initiated by user-space processes following the download of system utilities.
- Examine Microsoft Defender exclusions for the D3F4E2A1 pattern or unauthorized folders, and inspect scheduled tasks for one-time activities with generic names.
- Audit connections to IP 193.42.11[.]108 and the domain minemine.gleeze[.]com:8443 in proxy/firewall logs, paying close attention to WebSocket traffic atypical for the environment.
The Paradigm Shift: When AI Trust Becomes an Attack Surface
The campaign documented by Microsoft is not a technical exploit of AI infrastructure. It is something more insidious: an attack on the trust users place in automatically generated recommendations. The chatbot is not technically compromised—it is polluted upstream through the same SEO poisoning techniques that plague traditional search engines, but with a credibility multiplier.
The implicit message the user receives—"the chatbot recommended this software"—replaces critical evaluation with algorithmic delegation. Threat actors have recognized that this behavioral shift, accelerated by the mass adoption of LLMs, opens a window of opportunity before parallel verification habits become standard. While Microsoft has detected and blocked activity associated with this campaign, the technical framework—sideloading, process hollowing, and multiple persistence layers—is readily reusable with other entry vectors.
What remains to be seen is whether conversational AI platforms will implement provenance controls for recommended software links, or if the burden of verification will continue to fall on the end user in an increasingly complex digital landscape.
Frequently Asked Questions
Are chatbot platforms vulnerable or just manipulated?
Microsoft cites "observed patterns and correlated data sources" consistent with emerging AI search result poisoning techniques, rather than technical vulnerabilities within the platforms. The exact mechanism—whether training data poisoning, prompt injection, or otherwise—is not documented in the report.
Why do the miners terminate if they detect Process Hacker?
This anti-analysis feature prevents manual and automated inspection of the running miner process, delaying discovery and the extraction of indicators of compromise (IoCs) by security analysts.
Has ScreenConnect been compromised as a product?
No. The RMM tool is being abused as remote access infrastructure; it is not the subject of a software vulnerability in this campaign. The installer used is an unauthorized package, not an official distribution.
Information has been verified against cited sources and is current as of the time of publication.
Sources
- https://thehackernews.com/2026/05/ai-chatbot-recommendations-redirect.html
- https://krebsonsecurity.com/2026/04/russia-hacked-routers-to-steal-microsoft-office-tokens/
- https://krebsonsecurity.com/2026/05/patch-tuesday-may-2026-edition/
- https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/
- https://www.rescana.com/post/active-exploitation-alert-gpu-mining-malware-targeting-windows-systems-via-seo-poisoning-and-ai-chatbot-recommendations
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-41089
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-41096
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-41103
- https://krebsonsecurity.com/2026/04/patch-tuesday-april-2026-edition/
- https://www.securityweek.com/oracle-patches-450-vulnerabilities-with-april-2026-cpu/