Cryptojacking campaign leverages SEO poisoning, AI chatbots, and ScreenConnect for GPU mining

TargetEnd-users searching for system utilities (CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, PDFgear); organizations with high-performance GPU infrastructureVectorSEO poisoning of search engine results; AI chatbot-generated malicious download links; DLL sideloading via legitimate utility executables; silent ScreenConnect installationAttributionunattributed

MITRE ATT&CKT1598T1566T1036T1574.002T1218.009T1547.001IoCsgleeze.com (malicious ZIP archive hosting subdomain)dynu.com (dynamic DNS provider hosting parent domain)autorun.dll (malicious DLL variant, nine distinct versions identified)vcredist_x64.dll (ScreenConnect installer masquerading as Visual C++ Redistributable)AffectedCampaign active since March 2026; over 150 malicious domains identified as of May 2026

Affected OrganisationsunattributedConfirmed DamageGPU cryptocurrency mining; persistent remote access established via ScreenConnect enabling potential data theft, lateral movement, and ransomware deployment

WorkaroundsEnable cloud-delivered protection; run EDR in block mode; enable attack surface reduction rules; validate software downloads from official vendor sources only; implement DNS filtering for known malicious domainsDetectionMonitor for DLL sideloading of autorun.dll alongside legitimate utility executables; detect msiexec.exe execution of vcredist_x64.dll; hunt for ScreenConnect installation via silent MSI execution; monitor for gleeze.com and dynu.com subdomain traffic

Similar AttacksCampaign represents evolution of traditional cryptojacking tactics by targeting high-value GPU-equipped systems rather than maximizing infection volume; extends SEO poisoning to AI chatbot-generated recommendations