A sophisticated cryptojacking campaign is targeting users of high-performance computers through a coordinated SEO poisoning operation that has also exploited AI chatbot recommendations to distribute malware. According to findings from Microsoft researchers, the attackers are specifically focusing on systems equipped with powerful hardware to maximize cryptocurrency mining profits.

The attack begins when users search online for popular utility software commonly used by PC enthusiasts and gamers, including CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, and PDFgear. Cybercriminals have manipulated search engine rankings through SEO poisoning, causing malicious websites to appear prominently in search results.

Microsoft also noted that some victims were redirected to malicious websites after seeking software download recommendations from AI-powered assistants. The company stated, “In these cases, users querying AI chatbots for software download recommendations were presented with links to attacker-controlled domains within generated responses.”

Victims who download the software receive a ZIP archive hosted on a subdomain of gleeze[.]com, a domain previously linked to phishing activity. The archive contains the legitimate software installer alongside a malicious dynamic-link library (DLL) that is automatically executed when the trusted application is launched.

Once activated, the malicious DLL uses Windows Installer processes to deploy a disguised package that installs the legitimate ScreenConnect remote management tool. This provides attackers with persistent remote access to compromised systems and creates an avenue for further malware deployment.

After establishing remote access, threat actors install an additional executable called SimpleRunPE.exe. The file copies itself into a hidden directory under the name RuntimeHost.exe and is designed to maintain long-term access by creating multiple persistence mechanisms across Windows startup locations. In some instances, the malware is delivered through a PowerShell script and saved as vlc.exe to imitate the legitimate VideoLAN media player.

Researchers believe SimpleRunPE.exe is based on publicly available code used to demonstrate process hollowing techniques. The malware leverages this method to inject malicious code into legitimate Microsoft-signed applications such as InstallUtil.exe, RegAsm.exe, RegSvcs.exe, MSBuild.exe, AppLaunch.exe, AddInProcess.exe, and aspnet_compiler.exe, making detection more difficult.

To further evade security controls, the malware uses PowerShell commands to add itself to Microsoft Defender exclusion lists. It also scans the environment for virtual machines and approximately 40 analysis-related processes. If security tools or research environments are detected, the malware immediately terminates its execution.

Following successful deployment, the malware downloads and runs one of three cryptocurrency mining applications: gminer, lolMiner, or SRBMiner-MULTI. All three programs are designed to use graphics processing units (GPUs), allowing attackers to extract maximum mining performance from infected machines.

Microsoft highlighted that the operation differs from traditional large-scale cryptojacking campaigns because of its focus on carefully selected targets. The researchers described it as a “targeting and monetization strategy engineered from the ground up to maximize GPU mining yield per compromised device,” rather than prioritizing the number of infected systems.

Security experts recommend that organizations remain vigilant when downloading software, verify sources before installation, monitor for unusual remote-access activity, and utilize indicators of compromise provided by Microsoft to strengthen defenses against this evolving threat.