{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/dynu/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["ScreenConnect"],"_cs_severities":["high"],"_cs_tags":["cryptojacking","seo-poisoning","screenconnect","dll-sideloading"],"_cs_type":"advisory","_cs_vendors":["Microsoft","ConnectWise","Dynu"],"content_html":"\u003cp\u003eMicrosoft Defender Experts identified an active cryptojacking campaign targeting users likely to own high-performance GPUs. This campaign leverages SEO poisoning and, more recently, AI chatbot interactions to deliver malicious software. Attackers impersonate trusted system utilities like CrystalDiskInfo, HWMonitor, and others to lure users into downloading malware. Instead of maximizing infection volume, the threat actor focuses on compromising systems with higher mining value. The campaign establishes persistent remote access through abused ScreenConnect deployments, potentially leading to data theft, lateral movement, or ransomware activity. Since March 2026, over 150 malicious domains have been identified serving these malicious tools.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUsers search for common system utilities or hardware-monitoring software (e.g., CrystalDiskInfo, HWMonitor) on search engines or request software recommendations from AI chatbots.\u003c/li\u003e\n\u003cli\u003eManipulated search results or chatbot responses direct users to attacker-controlled lookalike sites.\u003c/li\u003e\n\u003cli\u003eThe user clicks a download button on the fake site, which retrieves a ZIP archive hosted on a campaign-specific subdomain of gleeze.com.\u003c/li\u003e\n\u003cli\u003eThe ZIP archive contains a legitimate executable for the spoofed utility and a malicious DLL named autorun.dll.\u003c/li\u003e\n\u003cli\u003eWhen the user launches the executable, the legitimate program loads autorun.dll from the same folder via DLL sideloading.\u003c/li\u003e\n\u003cli\u003eThe malicious autorun.dll uses msiexec.exe to silently install a second malicious DLL named vcredist_x64.dll, which is a packaged installer for ScreenConnect.\u003c/li\u003e\n\u003cli\u003eThe ScreenConnect client is installed and attempts to communicate with the attacker-controlled server at 193.42.11[.]108.\u003c/li\u003e\n\u003cli\u003eThe attacker gains persistent remote access to the compromised system, enabling cryptocurrency mining and potential further malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis campaign targets users with high-performance GPUs to maximize cryptocurrency mining yield. Successful compromise leads to unauthorized resource consumption and potential financial losses for the victim. The established persistent remote access through ScreenConnect could also enable data theft, lateral movement within the network, or ransomware deployment, resulting in significant damage and disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable cloud-delivered protection and run EDR in block mode in Microsoft Defender to detect and block activity associated with this campaign.\u003c/li\u003e\n\u003cli\u003eEnable attack surface reduction rules in Microsoft Defender to reduce the risk of DLL sideloading, as described in the attack chain.\u003c/li\u003e\n\u003cli\u003eBlock the domain \u003ccode\u003egleeze.com\u003c/code\u003e and IP address \u003ccode\u003e193.42.11[.]108\u003c/code\u003e at the network perimeter, as mentioned in the IOC table.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003emsiexec.exe\u003c/code\u003e installing DLLs masquerading as Visual C++ Redistributable (vcredist_x64.dll), and deploy the related Sigma rule to detect suspicious installations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-26T22:09:09Z","date_published":"2026-05-26T22:09:09Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cryptojacking-screenconnect/","summary":"An active cryptojacking campaign uses SEO poisoning, AI chatbot interactions, and ScreenConnect abuse to target high-performance PCs, aiming to maximize GPU mining yield and establish persistent remote access for potential data theft or ransomware attacks.","title":"Cryptojacking Campaign Abusing ScreenConnect and SEO Poisoning","url":"https://feed.craftedsignal.io/briefs/2026-05-cryptojacking-screenconnect/"}],"language":"en","title":"CraftedSignal Threat Feed — Dynu","version":"https://jsonfeed.org/version/1.1"}