GPU Mining Malware Spreads via SEO Poisoning and AI Chatbots

A cryptojacking campaign is actively targeting systems with high-performance GPUs. The attackers employ a coordinated SEO poisoning operation and manipulate AI chatbot recommendations to spread malware. The initial compromise occurs through malicious download pages that impersonate legitimate software utilities such as CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, and PDFgear. Once a system is infected, the attackers gain persistent access by deploying ScreenConnect, a legitimate remote management tool, and using process hollowing techniques. The malware also incorporates anti-analysis measures, including VM detection and process whitelisting. The ultimate goal is to download and execute GPU mining programs to maximize cryptocurrency yield. Reports in April 2026 indicated that users were directed to malicious domains after interacting with AI-based assistants which served malicious links.

Attack Chain

1. Users search for legitimate software utilities (e.g., CrystalDiskInfo, HWMonitor) and are directed to malicious download pages via SEO poisoning or AI chatbot recommendations.
2. The user downloads a ZIP archive from a subdomain of gleeze[.]com, containing the legitimate utility executable and a malicious DLL.
3. When the user launches the benign executable, the malicious DLL is loaded automatically.
4. The malicious DLL uses msiexec.exe to install vcredist_x64.dll, which is a package installer for the ScreenConnect remote access tool.
5. The attacker establishes a ScreenConnect session with the compromised client, allowing remote access and control.
6. The attacker drops a binary named SimpleRunPE.exe, which copies itself as RuntimeHost.exe into a hidden folder. In some instances, a malicious PowerShell script is used to drop the binary as vlc.exe.
7. SimpleRunPE.exe establishes six persistence mechanisms across multiple Windows autostart locations and adds its path to the exclusion list in Microsoft Defender via PowerShell.
8. The malware performs process hollowing into a legitimate .NET binary signed by Microsoft (e.g., InstallUtil.exe, RegAsm.exe) before downloading and executing a GPU mining module (gminer, lolMiner, or SRBMiner-MULTI).

Impact

This campaign aims to maximize GPU mining yield per compromised device by targeting systems with high-performance GPUs. Successful infection leads to unauthorized cryptocurrency mining, consuming system resources, increasing energy costs, and potentially causing system instability. Although the number of victims is unknown, the campaign’s focus on high-yield systems suggests a targeted approach rather than a widespread, indiscriminate attack. The targeted sectors are primarily those with high-performance computing infrastructure, such as gaming, content creation, and research.

Recommendation

• Block access to the malicious domain gleeze[.]com at the DNS resolver to prevent initial access (IOC table).
• Deploy the Sigma rule “Detect Suspicious Msiexec Usage for ScreenConnect Installation” to identify malicious use of msiexec.exe (see rule below).
• Monitor process creation events for SimpleRunPE.exe or RuntimeHost.exe being executed from unusual locations to detect malware execution (see rule below).
• Implement application control policies to restrict the execution of binaries from untrusted locations.
• Educate users about the risks of downloading software from unofficial sources and interacting with AI chatbot recommendations for software downloads.