AI Chatbot Recommendations Drive Cryptojacking and Remote‑Access Malware Campaign
What Happened — Cybercriminals are poisoning AI‑driven chatbot responses and search results to push users toward look‑alike download sites for popular system‑utility tools. The sites deliver a legitimate‑looking installer bundled with a malicious DLL that installs cryptojacking miners and hijacks ScreenConnect (ConnectWise Control) for persistent remote access.
Why It Matters for TPRM —
- The attack vector bypasses traditional web‑filtering by leveraging trusted AI interfaces, expanding the attack surface of third‑party SaaS tools.
- Compromised endpoints can be turned into cryptocurrency miners, inflating operational costs and exposing organizations to further ransomware or data‑theft stages via abused remote‑access tools.
- Over 150 malicious domains have been identified, indicating a rapidly scaling supply‑chain style campaign that can affect any vendor relying on AI chat assistance for software recommendations.
Who Is Affected — Technology & SaaS providers, MSPs, endpoint‑security vendors, and any organization whose users download system utilities or rely on remote‑management platforms.
Recommended Actions —
- Instruct users to obtain software only from verified vendor portals; block AI‑generated download links via web‑proxy policies.
- Harden ScreenConnect deployments: enforce MFA, restrict inbound connections, and monitor for unauthorized DLL loads.
- Deploy endpoint detection that flags DLL sideloading patterns and unexpected cryptomining processes.
Technical Notes — The campaign uses DLL sideloading to execute a malicious autorun.dll alongside a spoofed utility executable. Cryptojacking payload mines GPU‑intensive coins, while the compromised ScreenConnect agent provides persistent C2 and a foothold for lateral movement. The initial lure originates from AI chatbot responses that embed malicious URLs, an evolution of SEO poisoning. Source: Help Net Security