Threat actors are running an SEO poisoning campaign that pushes malicious download pages for popular utilities to compromise high-performance Windows systems and install cryptomining payloads. Microsoft also found that some users were steered to attacker-controlled links by AI chatbots, with the campaign using ScreenConnect, process hollowing, and GPU miners like gminer, lolMiner, and SRBMiner-MULTI. #ScreenConnect #CrystalDiskInfo #HWMonitor #FurMark #KLiteCodecPack #PDFgear #gminer #lolMiner #SRBMinerMULTI #Microsoft
Keypoints
- Malicious download pages impersonate trusted utilities to infect high-performance systems.
- SEO poisoning and AI chatbot recommendations are both used to drive victims to attacker-controlled domains.
- The malware installs ScreenConnect to maintain persistent remote access on compromised machines.
- SimpleRunPE.exe uses process hollowing and Windows autostart locations to evade detection and persist.
- The campaign ultimately deploys GPU miners such as gminer, lolMiner, and SRBMiner-MULTI to maximize profit.