Microsoft Defender Experts reported an active cryptojacking campaign that is worth watching because it combines three trends defenders are already struggling with: poisoned search results, AI-assisted software recommendations, and abuse of legitimate remote management tooling.
The campaign does not rely on a novel browser exploit or a flashy zero-day. It wins by placing fake download pages in front of users looking for common utilities such as hardware monitors, display-driver tools, codec packs, and PDF software. That matters because the target audience is likely to have high-performance GPUs — exactly the systems that make cryptocurrency mining profitable.
Original source: Microsoft Security Blog — From poisoned search results to GPU mining.
What Microsoft reported
Microsoft observed malicious lookalike download sites impersonating trusted utility brands and delivering ZIP archives that contain a legitimate executable alongside a malicious DLL. When the user runs the legitimate-looking program, DLL side-loading launches the attacker’s code without an obvious warning to the user.
The next stage silently installs a ScreenConnect client configured to connect back to attacker-controlled infrastructure. ScreenConnect is a legitimate remote monitoring and management tool, but in this case it gives the operator persistent hands-on access that can be used for more than mining. Once remote access is established, the attacker deploys a loader that uses process hollowing against Microsoft-signed .NET utilities, creates multiple persistence mechanisms, attempts Microsoft Defender exclusions, performs anti-analysis checks, and downloads GPU mining tools at runtime.
The most important detail is the delivery path. Microsoft noted that malicious domains were not only surfaced through traditional SEO poisoning, but also appeared in AI chatbot-style software recommendation flows based on observed referral patterns. In practice, that means “I asked an AI tool where to download this utility” can become part of the initial-access story.
Why this matters for SMBs and government contractors
This is not just a gamer-PC cryptominer story. It is a trusted-path abuse story.
- Search and AI recommendations are now part of the attack surface. Users increasingly treat generated answers and high-ranked search results as trust signals. Attackers are optimizing for that behavior.
- RMM tools create post-compromise optionality. Even if the visible monetization is mining, persistent ScreenConnect access can support credential theft, staging, lateral movement, or ransomware preparation.
- Legitimate binaries reduce user suspicion. DLL side-loading through a real utility gives victims the expected application while the compromise happens in the background.
- GPU-rich endpoints are business assets. Engineering workstations, design systems, AI development rigs, and lab machines are attractive because they combine compute value with access to internal resources.
Defensive takeaways
1. Treat software download paths as controlled infrastructure
Do not rely on users to identify the correct download link from search results. Maintain approved software sources, publish internal install instructions, and route common utilities through endpoint management or a documented software portal.
2. Put RMM tools under explicit allowlisting
If the business uses ScreenConnect, AnyDesk, TeamViewer, Splashtop, or similar tools, document the approved tenants, domains, certificates, and installer hashes. Alert on unmanaged RMM clients, unexpected service creation, or outbound connections to unknown RMM infrastructure.
3. Hunt for persistence that pretends to be system health
Microsoft described scheduled tasks, Run keys, and Startup folder shortcuts using system-health style naming. Defenders should review new autostarts that launch from user-writable locations, especially paths under AppData or hidden cache directories.
4. Monitor Defender exclusion changes
Attempts to add Microsoft Defender exclusions through PowerShell are high-signal events in many environments. Alert on suspicious Add-MpPreference usage, especially when exclusions reference miner names, newly created cache folders, or unexpected .NET framework utilities.
5. Watch signed .NET utilities for abnormal child behavior
Process hollowing into signed Microsoft utilities is designed to blend in. Look for unusual network connections, GPU miner launches, or suspicious parent-child relationships involving utilities such as InstallUtil.exe, RegAsm.exe, RegSvcs.exe, and MSBuild.exe.
Bulwark Black assessment
The campaign shows how modern commodity intrusion is converging: search manipulation, AI-discovered links, legitimate remote access software, living-off-the-land binaries, and compute monetization all in one chain. The attacker does not need to break the perimeter if they can convince a user to install the “right” utility from the wrong place.
For small businesses and contractors, the practical answer is not “tell users to be careful.” The answer is to make the safe path easier than the risky path: managed software distribution, RMM governance, endpoint controls, and detections for persistence and Defender tampering. If your organization cannot quickly answer which remote access tools are authorized and where users are allowed to download software from, this campaign is a good reason to fix that now.
