{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/videolan/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft Defender","CrystalDiskInfo","HWMonitor","Display Driver Uninstaller","FurMark","K-Lite Codec Pack","PDFgear","ScreenConnect","VideoLAN multimedia player"],"_cs_severities":["high"],"_cs_tags":["cryptojacking","seo-poisoning","process-hollowing","persistence","defense-evasion","gpu-mining","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","VideoLAN"],"content_html":"\u003cp\u003eA cryptojacking campaign is actively targeting systems with high-performance GPUs. The attackers employ a coordinated SEO poisoning operation and manipulate AI chatbot recommendations to spread malware. The initial compromise occurs through malicious download pages that impersonate legitimate software utilities such as CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, and PDFgear. Once a system is infected, the attackers gain persistent access by deploying ScreenConnect, a legitimate remote management tool, and using process hollowing techniques. The malware also incorporates anti-analysis measures, including VM detection and process whitelisting. The ultimate goal is to download and execute GPU mining programs to maximize cryptocurrency yield. Reports in April 2026 indicated that users were directed to malicious domains after interacting with AI-based assistants which served malicious links.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUsers search for legitimate software utilities (e.g., CrystalDiskInfo, HWMonitor) and are directed to malicious download pages via SEO poisoning or AI chatbot recommendations.\u003c/li\u003e\n\u003cli\u003eThe user downloads a ZIP archive from a subdomain of gleeze[.]com, containing the legitimate utility executable and a malicious DLL.\u003c/li\u003e\n\u003cli\u003eWhen the user launches the benign executable, the malicious DLL is loaded automatically.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL uses msiexec.exe to install vcredist_x64.dll, which is a package installer for the ScreenConnect remote access tool.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a ScreenConnect session with the compromised client, allowing remote access and control.\u003c/li\u003e\n\u003cli\u003eThe attacker drops a binary named SimpleRunPE.exe, which copies itself as RuntimeHost.exe into a hidden folder. In some instances, a malicious PowerShell script is used to drop the binary as vlc.exe.\u003c/li\u003e\n\u003cli\u003eSimpleRunPE.exe establishes six persistence mechanisms across multiple Windows autostart locations and adds its path to the exclusion list in Microsoft Defender via PowerShell.\u003c/li\u003e\n\u003cli\u003eThe malware performs process hollowing into a legitimate .NET binary signed by Microsoft (e.g., InstallUtil.exe, RegAsm.exe) before downloading and executing a GPU mining module (gminer, lolMiner, or SRBMiner-MULTI).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis campaign aims to maximize GPU mining yield per compromised device by targeting systems with high-performance GPUs. Successful infection leads to unauthorized cryptocurrency mining, consuming system resources, increasing energy costs, and potentially causing system instability. Although the number of victims is unknown, the campaign\u0026rsquo;s focus on high-yield systems suggests a targeted approach rather than a widespread, indiscriminate attack. The targeted sectors are primarily those with high-performance computing infrastructure, such as gaming, content creation, and research.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eBlock access to the malicious domain gleeze[.]com at the DNS resolver to prevent initial access (IOC table).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious Msiexec Usage for ScreenConnect Installation\u0026rdquo; to identify malicious use of msiexec.exe (see rule below).\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for SimpleRunPE.exe or RuntimeHost.exe being executed from unusual locations to detect malware execution (see rule below).\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of binaries from untrusted locations.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of downloading software from unofficial sources and interacting with AI chatbot recommendations for software downloads.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-27T21:33:34Z","date_published":"2026-05-27T21:33:34Z","id":"https://feed.craftedsignal.io/briefs/2026-05-gpu-mining-malware/","summary":"A cryptojacking campaign targets systems with high-performance GPUs using SEO poisoning and manipulated AI chatbot recommendations, distributing malware disguised as legitimate software utilities to establish persistence and evade detection before deploying GPU mining programs.","title":"GPU Mining Malware Spreads via SEO Poisoning and AI Chatbots","url":"https://feed.craftedsignal.io/briefs/2026-05-gpu-mining-malware/"}],"language":"en","title":"CraftedSignal Threat Feed — VideoLAN","version":"https://jsonfeed.org/version/1.1"}