AI Chatbot Recommendations Redirect Users to Cryptojacking Malware Sites

Microsoft has warned of an active phishing campaign that uses artificial intelligence (AI) chatbot communication as a means of opening malicious download sites.

“This growing delivery method extends social engineering beyond traditional search results and increases the visibility of malicious software recommendations,” Microsoft Defender experts and the Microsoft Defender Security Research Team said in a report published on Tuesday.

The task, according to the tech giant, mimics official system utilities such as CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, and PDFgear, possibly in an attempt to target users with high-performance GPUs. The idea is to focus on compromised systems with high mining value rather than indiscriminately infecting a large number of machines, it added.

Campaign goals are not just financially supported. Threat actors have also been found to establish continuous remote access to vulnerable hosts through the deployment of ScreenConnect, which can be used for tracking operations, such as data theft, lateral movement, or ransomware.

The attack chain is more deliberate than other traditional cryptocurrency mining efforts, selectively choosing endpoints that help maximize GPU mining yield for each vulnerable device. The Windows maker said it detected and blocked activity related to the campaign.

It all starts when users search for trusted system utilities and hardware monitoring software in search engines, which reveal malicious sites played with techniques like toxic search engine optimization (SEO). Subsequent iterations observed in April 2026 show that users are not directed to these sites by search engine results, but by interacting with tools based on the large language model (LLM).

“In these cases, users asking AI chatbots for software download recommendations were presented with links to attacker-controlled domains within the generated responses,” Microsoft said. “Although this behavior is based on observed patterns and related data sources, it is consistent with emerging strategies in AI search results, which represent an extension of traditional SEO poisons beyond traditional search engines.”

Each of these sites contains a prominent download button that retrieves a ZIP archive from a special gleeze campaign site[.]com, hosted by infrastructure associated with Dynu, a powerful DNS provider often used by malicious actors. More than 150 malicious domains have been identified using malicious tools.

The downloaded ZIP file contains the official executable and a static DLL (“autorun.dll”) that is sideloaded when the binary is launched by the user. The DLL is designed to install a second malicious DLL named “vcredist_x64.dll” using “msiexec.exe.” The file is a packaged installer for the ScreenConnect software.

Once ScreenConnect is installed, the client continuously tries to establish contact with the attacker-controlled server located at “193.42.11[.]108.” The ScreenConnect session then acts as a conduit for an executable called “SimpleRunPE.exe.”

The binary is responsible for establishing persistence on the host using Registry Run keys and scheduled tasks, fixing Microsoft Defender exclusions, running anti-analysis checks, and using a tunneling process to launch mining code under a trusted binary signed by Microsoft.

In the opt-out, instead of relying on ScreenConnect’s file transfer functionality to release the binary, a PowerShell script is used to download the binary to a remote drive, save it somewhere as “vlc.exe” to fly under the radar, create a scheduled task to launch it, and delete it.

A ported binary, on the other hand, communicates with the attacker’s server, passes host-specific information, downloads the appropriate miner archive at runtime, and executes it. Three miner programs are supported by the malware: gminer, lolMiner, and SRBMiner-MULTI.

In addition, the binary recreates persistent artifacts to ensure continued existence and resets Defender output when removed. It also keeps an eye on active processes, and proceeds to terminate the miner immediately if any of the following processes are detected –

• taskmgr.exe (Windows Task Manager)
• processhacker.exe, processhacker2.exe (Processhacker)
• procexp.exe, procexp64.exe (Process Explorer)
• systeminformer.exe (System Informer)

“This combination of AI-assisted delivery, software impersonation, and continuous access highlights how threat actors are adapting to social engineering and strategies to monetize modern user behavior,” Microsoft said.

The disclosure comes days after Microsoft detailed how an unknown malicious actor compromised an Internet-facing F5 BIG-IP firewall and abused trusted connections to redirect to an internal Linux host, highlighting the ongoing exploitation of Internet-facing devices as the first point of access.

The Linux host, the company said, allowed the attacker to conduct extensive investigations and eventually move on to the vulnerable Atlassian Confluence server, although attempts to execute remote code through undocumented security flaws in the software were unsuccessful.

As a way around these limitations, the threat actor is said to have set up an FTP server on the original Linux host using Python’s ftplib module to transfer a custom scan tool to the Confluence server and obtain subsequent authentication credentials against the Windows infrastructure. This was followed by the Kerberos relay attack and the CVE-2025-33073 exploit.

“Since then, the malicious actor compromised the vulnerable SaaS application and used his credentials to perform a relay authentication attack against Active Directory,” it said.

“In this case, a threat actor authenticated to a Linux server via SSH using a privileged account. The threat actor maintained this level of access to all monitored activity without establishing clear persistence mechanisms, emphasizing the vulnerability posed by an overly privileged identity with sudo privileges.”

Earlier this month, Microsoft also shed light on another breach where attackers abused trusted working relationships and authentication processes to gain long-term access, using a vulnerable IT service provider and legitimate IT management tools to orchestrate a covert campaign focused on long-term access and data theft.

“Third-party service providers and integrated management tools can be enforcement gaps when visibility is limited or authentication is considered. Threat actors understand this,” said Redmond. “They use legitimate components, trusted update methods, and certified integrations to maintain themselves within seemingly highly compliant environments.”

“Defenders must adopt a posture of intentional authentication. Trust your vendors and use tools, but verify their behavior in your environment. Organizations operating in sensitive sectors must assume that threat actors with this level of trade will continue to refine third-party abuse, evidence suppression, and subtle persistence methods to maintain critical access.”