ctipilot.ch

Microsoft Defender Experts

campaign · campaign:microsoft-ai-chatbot-search-poisoning-cryptojacking-screenconnect-process-hollow

Microsoft Defender Experts — AI-chatbot search-poisoning extends SEO lure; GPU-utility lookalikes drop ScreenConnect, then process-hollowed miners (gminer/lolMiner/SRBMiner-MULTI) under signed Microsoft binary

Coverage timeline
1
first 2026-05-28 → last 2026-05-28
Entries
1
1 distinct days
Sources cited
2
2 hosts
Sections touched
1
research
Co-occurring entities
0
no co-occurrence

Story timeline

  1. 2026-05-28Microsoft Defender Experts — AI-chatbot search-poisoning extends SEO-poisoning lure; GPU-utility lookalikes drop ScreenConnect, then process-hollowed miners under signed Microsoft binary
    researchMicrosoft Defender Experts — AI-chatbot search-poisoning extends SEO-poisoning lure; GPU-utility lookalikes drop ScreenConnect, then process-hollowed miners

Where this entity is cited

  • research1

Source distribution

  • microsoft.com1 (50%)
  • thehackernews.com1 (50%)

Entries about Microsoft Defender Experts (1)

2026-05-28 · view entry permalink →

Microsoft Defender Experts — AI-chatbot search-poisoning extends SEO-poisoning lure; GPU-utility lookalikes drop ScreenConnect, then process-hollowed miners under signed Microsoft binary

notable research discovered 2026-05-28 05:00 UTC

Microsoft Defender Experts documented an active cryptojacking campaign dating from March 2026 that uses GPU-utility brand impersonation (CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, PDFgear) as initial delivery via SEO poisoning (Microsoft Security Blog, 2026-05-26; The Hacker News, 2026-05-27). The operationally novel evolution is from April 2026: users querying AI chatbots for software-download recommendations were directed to attacker-controlled domains in generated responses — search-poisoning extended into the LLM-generation layer. Delivery chain: (1) fake utility site hosts a ZIP on a gleeze.com subdomain (DDNS via Dynu); (2) ZIP contains the legitimate executable alongside an autorun.dll; (3) DLL side-loading installs vcredist_x64.dll via msiexec.exe — a ScreenConnect packaged installer named to mimic Visual C++ Redistributable; (4) ScreenConnect establishes persistent remote access; (5) the session delivers SimpleRunPE.exe; (6) SimpleRunPE persists via Registry Run keys and scheduled tasks, configures Microsoft Defender exclusions, and uses process hollowing to inject miner code (gminer, lolMiner, SRBMiner-MULTI) into a Microsoft-signed binary. 150+ malicious domains identified since March 2026.

cryptocrime ai-abuse phishing infostealer global