Home · Briefs · CTI Daily Brief — 2026-05-28
Microsoft Defender Experts — AI-chatbot search-poisoning extends SEO-poisoning lure; GPU-utility lookalikes drop ScreenConnect, then process-hollowed miners under signed Microsoft binary
From CTI Daily Brief — 2026-05-28 · published 2026-05-28
Microsoft Defender Experts documented an active cryptojacking campaign dating from March 2026 that uses GPU-utility brand impersonation (CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, PDFgear) as initial delivery via SEO poisoning (Microsoft Security Blog, 2026-05-26; The Hacker News, 2026-05-27). The operationally novel evolution is from April 2026: users querying AI chatbots for software-download recommendations were directed to attacker-controlled domains in generated responses — search-poisoning extended into the LLM-generation layer. Delivery chain: (1) fake utility site hosts a ZIP on a gleeze.com subdomain (DDNS via Dynu); (2) ZIP contains the legitimate executable alongside an autorun.dll; (3) DLL side-loading installs vcredist_x64.dll via msiexec.exe — a ScreenConnect packaged installer named to mimic Visual C++ Redistributable; (4) ScreenConnect establishes persistent remote access; (5) the session delivers SimpleRunPE.exe; (6) SimpleRunPE persists via Registry Run keys and scheduled tasks, configures Microsoft Defender exclusions, and uses process hollowing to inject miner code (gminer, lolMiner, SRBMiner-MULTI) into a Microsoft-signed binary. 150+ malicious domains identified since March 2026.