HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

AI Chatbot Poisoning Fuels Cryptojacking and Remote‑Access Malware Campaign

Cybercriminals are leveraging AI‑driven chatbot responses to serve malicious download links for popular system‑utility tools. The delivered payload installs a cryptomining miner and hijacks ScreenConnect for persistent remote access, exposing organizations to cost inflation and further compromise.

LiveThreat™ Intelligence · 📅 May 28, 2026· 📰 helpnetsecurity.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
4 sector(s)
Actions
3 recommended
📰
Source
helpnetsecurity.com

AI Chatbot Recommendations Drive Cryptojacking and Remote‑Access Malware Campaign

What Happened — Cybercriminals are poisoning AI‑driven chatbot responses and search results to push users toward look‑alike download sites for popular system‑utility tools. The sites deliver a legitimate‑looking installer bundled with a malicious DLL that installs cryptojacking miners and hijacks ScreenConnect (ConnectWise Control) for persistent remote access.

Why It Matters for TPRM

  • The attack vector bypasses traditional web‑filtering by leveraging trusted AI interfaces, expanding the attack surface of third‑party SaaS tools.
  • Compromised endpoints can be turned into cryptocurrency miners, inflating operational costs and exposing organizations to further ransomware or data‑theft stages via abused remote‑access tools.
  • Over 150 malicious domains have been identified, indicating a rapidly scaling supply‑chain style campaign that can affect any vendor relying on AI chat assistance for software recommendations.

Who Is Affected — Technology & SaaS providers, MSPs, endpoint‑security vendors, and any organization whose users download system utilities or rely on remote‑management platforms.

Recommended Actions

  • Instruct users to obtain software only from verified vendor portals; block AI‑generated download links via web‑proxy policies.
  • Harden ScreenConnect deployments: enforce MFA, restrict inbound connections, and monitor for unauthorized DLL loads.
  • Deploy endpoint detection that flags DLL sideloading patterns and unexpected cryptomining processes.

Technical Notes — The campaign uses DLL sideloading to execute a malicious autorun.dll alongside a spoofed utility executable. Cryptojacking payload mines GPU‑intensive coins, while the compromised ScreenConnect agent provides persistent C2 and a foothold for lateral movement. The initial lure originates from AI chatbot responses that embed malicious URLs, an evolution of SEO poisoning. Source: Help Net Security

📰 Original Source
https://www.helpnetsecurity.com/2026/05/27/ai-chatbot-cryptojacking-campaign/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Could you prove your access controls held up here?

Credential and access failures map directly to SOC 2 access-control criteria. The Verisq AI Trust Operations platform shows where your evidence is thin before an auditor — or an attacker — finds out.

Explore the Verisq AI Trust Operations platform →