AI chatbot recommendations lure users to cryptojacking malware sites

Cybercriminals are using AI chatbot interactions alongside poisoned search results to direct users to malicious download sites in an active cryptojacking campaign, Microsoft has warned.

The campaign impersonates legitimate software tools such as CrystalDiskInfo, HWMonitor, Display Driver Uninstaller (DDU), FurMark, K-Lite Codec Pack, and PDFgear.

Screenshot of search engine results showing a malicious source of hwmonitor (Source: Microsoft)

“The selection of these brands is deliberate. Each application is favored by PC enthusiasts and hardware-focused users, precisely the audience most likely to own a high-performance discrete GPU, the hardware that makes GPU cryptocurrency mining economically viable,” the researchers said.

The threat actor appears focused on compromising systems with higher mining value instead of infecting large numbers of devices.

Beyond cryptocurrency mining, the campaign gives attackers persistent remote access to compromised systems through abused ScreenConnect deployments.

ScreenConnect, also known as ConnectWise Control, is a legitimate remote management tool widely used by IT administrators. Researchers warned the access could later support data theft, lateral movement, or ransomware activity.

Attack chain uses DLL sideloading and ScreenConnect

The campaign begins when users search for popular system utility and hardware-monitoring software on search engines and are presented with manipulated results leading to attacker-controlled lookalike websites.

In April 2026, Microsoft identified cases where users were directed to malicious websites through interactions with LLM-based chatbots instead of traditional search engine results.

“In these cases, users querying AI chatbots for software download recommendations were presented with links to attacker-controlled domains within generated responses,” they noted.

Analysis of VirusTotal scans associated with the domains identified traffic metadata referencing chatbot interactions as a potential referral context.

“While this behavior is based on observed patterns and correlated data sources, it’s consistent with emerging techniques in AI search result poisoning, representing an extension of traditional SEO poisoning beyond conventional search engines,” they added.

Each fake website presents a download button for what appears to be a legitimate utility, though the download instead retrieves a malicious ZIP archive hosted on campaign-linked subdomains.

More than 150 domains linked to the operation have been identified since March 2026.

The downloaded ZIP archive contains a legitimate executable for the spoofed utility alongside a malicious DLL file named autorun.dll.

When launched, the program loads the DLL from the same folder through DLL sideloading, a technique that allows malicious code to run through a trusted application while reducing suspicion and visible security warnings. Analysis revealed nine different autorun.dll variants used in the campaign.

The malicious DLL then uses msiexec.exe to silently install another malicious file named vcredist_x64.dll, disguised as a Visual C++ Redistributable package. The file functions as an installer for ScreenConnect.

“Once the ScreenConnect session is established, the attacker drops a binary named SimpleRunPE.exe directly via ScreenConnect’s file-transfer feature,” the researchers added.

Once executed, SimpleRunPE.exe copies itself into a hidden installation folder under the name RuntimeHost.exe and modifies file attributes to hide the malware from default Windows Explorer views.

In some cases, the attackers used a PowerShell script to download the payload from a remote server, save it locally as “vlc.exe,” create a scheduled task to launch it, and then delete the script to reduce forensic traces.

Malware deploys miners and evades analysis

The final-stage payload communicates with attacker-controlled infrastructure, collects and transmits host information, and downloads cryptocurrency miners at runtime. Analysis showed support for three mining programs: gminer, lolMiner, and SRBMiner-MULTI.

The operation abuses legitimate Windows and Microsoft .NET utilities during execution. Researchers detailed the use of process hollowing to launch mining payloads under trusted Microsoft-signed binaries, a technique in which malicious code is injected into legitimate processes to help conceal execution and evade detection.

The malware monitors for diagnostic and forensic utilities including Windows Task Manager, Process Explorer, Process Hacker, and System Informer. If any of the tools are detected, mining activity is immediately terminated.

The malware also recreates persistence artifacts, including Registry Run keys, and re-configures Defender exclusions in the event they are removed.

Mitigation guidance

The researchers recommend enabling cloud-delivered protection, attack surface reduction rules, and endpoint detection and response protections in block mode, while monitoring for unauthorized Defender exclusion changes and suspicious remote management tool activity.

Microsoft also published a list of indicators of compromise (IOCs) associated with the campaign.