Hackers have found a new way to put your computer to work for them, and you might never notice it happening. Researchers have uncovered an active cryptojacking campaign that deploys GPU mining malware to hijack victims’ graphics cards for cryptocurrency mining. What separates this campaign from similar attacks is the delivery method: poisoned search results and, for the first time, AI chatbot recommendations.
What Is Cryptojacking?
Cryptojacking is a type of attack where criminals secretly use your computer’s processing power to mine cryptocurrency. Unlike ransomware, it does not lock your files or demand payment. The goal is to stay hidden for as long as possible. The malware runs quietly in the background while your hardware does the work and the attacker collects the profit.
Mining cryptocurrency through GPU-intensive methods requires significant computing power. That makes gaming rigs and high-performance workstations the most valuable targets. This campaign built its entire strategy around that fact.
How the Attack Reaches Victims
The campaign targets people who search for common PC utilities. Tools like HWMonitor, FurMark, CrystalDiskInfo, Display Driver Uninstaller, K-Lite Codec Pack, and PDFgear are all legitimate programs popular with PC enthusiasts and hardware-focused users. That audience is also the most likely to own a powerful discrete GPU, which is precisely what GPU mining malware operators want.
Attackers created fake download pages impersonating these tools and pushed them to the top of search results through SEO poisoning. SEO poisoning manipulates malicious sites to rank highly in search engines, making them appear trustworthy at a glance.
The campaign did not stop there. In April 2026, researchers observed something new: AI chatbots were also directing users to these fake sites. When people asked AI assistants for software download recommendations, the chatbots returned links to attacker-controlled domains. Traffic metadata from security scans corroborated these AI-assisted delivery patterns. Researchers describe this as an extension of traditional SEO poisoning beyond conventional search engines.
What Happens After You Download
When a user downloads from one of these fake sites, they receive a ZIP archive containing two things: the real, legitimate utility and a hidden malicious file called autorun.dll.
When the legitimate program runs, it loads autorun.dll from the same folder automatically. Attackers call this technique DLL sideloading. It requires no special permissions and produces no visible error. The malicious DLL then silently installs ScreenConnect, a legitimate remote management tool that IT administrators use widely. Once installed, ScreenConnect hands the attackers persistent, hidden access to the infected machine.
From there, the attacker delivers another file called SimpleRunPE.exe. This tool injects malicious code into a legitimate Microsoft-signed process so the mining code runs under the identity of a trusted Windows utility. Researchers call this process hollowing. The malware targets standard .NET tools for this purpose, including InstallUtil.exe and MSBuild.exe, making the activity harder for security software to flag.
Designed to Stay Hidden
This campaign invested considerable effort into avoiding detection. The GPU mining malware adds itself to Microsoft Defender’s exclusion list, causing antivirus scans to skip past it. It also checks for virtual machine environments and analysis tools before executing. If it detects a debugger or security research software, it shuts down immediately.
Researchers identified more than forty analyst-tool names the malware checks for, including Wireshark, x64dbg, and Ghidra. Six separate persistence mechanisms keep the malware running across reboots: three scheduled tasks, two registry run keys, and a startup folder shortcut. A background routine runs every five seconds. It verifies all six mechanisms are still in place and repairs any that have been removed.
The malware also monitors GPU usage in real time. If it detects active gaming or another GPU-intensive task, it pauses mining. This avoids slowdowns that might alert the user.
What It Actually Does to Your System
Once fully installed, the GPU mining malware connects to an attacker-controlled server. It then sends a detailed profile of the infected system: CPU model, GPU model and temperature, RAM, operating system version, installed antivirus software, the user’s country, and whether administrative privileges are available.
Based on that profile, the malware downloads one of three GPU mining programs: gminer, lolMiner, or SRBMiner-MULTI. All three are GPU-focused tools. Attackers chose them specifically to maximise mining yield on high-performance hardware.
Since March 2026, researchers have identified more than 150 malicious domains linked to this campaign. Microsoft Defender has detected and blocked activity associated with the threat. Indicators of compromise are available for security teams to review.
The AI Angle Changes the Risk Picture
SEO poisoning is not a new threat. Criminals have gamed search rankings to serve malicious downloads for years. What changed here is the delivery surface.
AI chatbots now serve as a trusted source of recommendations for millions of people. This campaign exploited that trust directly. When someone searches a browser, they can often spot warning signs: unfamiliar domains, missing HTTPS, suspicious URLs. When someone asks an AI assistant and receives a confident-sounding recommendation with a download link, those signals disappear. The answer arrives formatted as helpful guidance, not as a search result to scrutinise.
This marks a meaningful shift in how GPU mining malware can spread. It also raises serious questions about how AI tools vet the sources they surface in generated responses.
Final Thoughts
This campaign is a useful reminder that the safest place to download software is always the developer’s official website. Search results and AI recommendations are not reliable sources for software downloads. If you need a tool like HWMonitor or FurMark, go directly to the publisher’s site.
For anyone running a high-performance system, check whether ScreenConnect or any unfamiliar remote access tool has appeared without your knowledge. Unexpected remote management software is one of the clearest signs of compromise. A VPN will not block this type of attack, but behavioural detection software and good download hygiene go a long way toward keeping your system safe.
