SEO Poisoning and AI Chatbot Manipulation Drive GPU‑Mining Malware onto High‑Performance PCs
What Happened – Threat actors launched a coordinated cryptojacking campaign that leverages SEO‑poisoned search results and AI‑chatbot‑generated software recommendations to deliver a malicious ZIP archive. The archive contains legitimate utility installers (e.g., CrystalDiskInfo, HWMonitor) bundled with a malicious DLL that installs the ScreenConnect remote‑access tool and a custom “SimpleRunPE” binary for persistence and GPU mining.
Why It Matters for TPRM –
- The attack vector bypasses traditional email‑phishing defenses, exploiting search engine rankings and AI assistants that vendors may integrate into support portals.
- Persistent remote‑access tools give adversaries a foothold for further payload delivery, increasing the risk of lateral movement within a third‑party environment.
- Cryptojacking consumes GPU cycles, degrading performance of critical workloads hosted by SaaS or cloud providers that rely on third‑party compute resources.
Who Is Affected – Companies that provide or consume high‑performance workstations (e.g., AI/ML labs, video rendering farms, engineering firms) and any organization whose employees download common utilities from the web.
Recommended Actions –
- Review and harden web‑gateway filtering for SEO‑poisoned domains and suspicious download URLs.
- Enforce application‑allow‑list policies for utility software on high‑value endpoints.
- Verify that remote‑access tools (ScreenConnect, TeamViewer, etc.) are deployed only through approved channels and monitored for anomalous usage.
- Conduct threat‑intel briefings for staff on safe AI‑assistant interactions and verify software recommendations against trusted vendor sites.
Technical Notes – The malicious ZIP hosts a legitimate utility executable plus a DLL that invokes msiexec.exe to install vcredist_x64.dll, which in turn drops ScreenConnect. A secondary binary, SimpleRunPE.exe, uses process‑hollowing against signed .NET binaries (e.g., InstallUtil.exe) and registers six autostart persistence locations. PowerShell scripts add the malware to Windows Defender exclusions. The campaign is attributed to a financially motivated group focused on GPU cryptomining. Source: BleepingComputer