HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

SEO Poisoning and AI Chatbot Manipulation Drive GPU‑Mining Malware onto High‑Performance PCs

Threat actors are using SEO‑poisoned search results and AI‑chatbot recommendations to deliver a malicious utility bundle that installs ScreenConnect and a custom GPU‑mining payload. The campaign targets owners of high‑performance workstations, posing a resource‑drain and persistence risk for third‑party environments.

LiveThreat™ Intelligence · 📅 May 28, 2026· 📰 bleepingcomputer.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
4 recommended
📰
Source
bleepingcomputer.com

SEO Poisoning and AI Chatbot Manipulation Drive GPU‑Mining Malware onto High‑Performance PCs

What Happened – Threat actors launched a coordinated cryptojacking campaign that leverages SEO‑poisoned search results and AI‑chatbot‑generated software recommendations to deliver a malicious ZIP archive. The archive contains legitimate utility installers (e.g., CrystalDiskInfo, HWMonitor) bundled with a malicious DLL that installs the ScreenConnect remote‑access tool and a custom “SimpleRunPE” binary for persistence and GPU mining.

Why It Matters for TPRM

  • The attack vector bypasses traditional email‑phishing defenses, exploiting search engine rankings and AI assistants that vendors may integrate into support portals.
  • Persistent remote‑access tools give adversaries a foothold for further payload delivery, increasing the risk of lateral movement within a third‑party environment.
  • Cryptojacking consumes GPU cycles, degrading performance of critical workloads hosted by SaaS or cloud providers that rely on third‑party compute resources.

Who Is Affected – Companies that provide or consume high‑performance workstations (e.g., AI/ML labs, video rendering farms, engineering firms) and any organization whose employees download common utilities from the web.

Recommended Actions

  • Review and harden web‑gateway filtering for SEO‑poisoned domains and suspicious download URLs.
  • Enforce application‑allow‑list policies for utility software on high‑value endpoints.
  • Verify that remote‑access tools (ScreenConnect, TeamViewer, etc.) are deployed only through approved channels and monitored for anomalous usage.
  • Conduct threat‑intel briefings for staff on safe AI‑assistant interactions and verify software recommendations against trusted vendor sites.

Technical Notes – The malicious ZIP hosts a legitimate utility executable plus a DLL that invokes msiexec.exe to install vcredist_x64.dll, which in turn drops ScreenConnect. A secondary binary, SimpleRunPE.exe, uses process‑hollowing against signed .NET binaries (e.g., InstallUtil.exe) and registers six autostart persistence locations. PowerShell scripts add the malware to Windows Defender exclusions. The campaign is attributed to a financially motivated group focused on GPU cryptomining. Source: BleepingComputer

📰 Original Source
https://www.bleepingcomputer.com/news/security/gpu-mining-malware-spreads-via-seo-poisoning-ai-chatbots/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Security Awareness

Phishing and social engineering are a people-and-policy problem.

The Verisq AI Trust Operations platform pairs Security Awareness Training with policy adoption tracking, so human-risk controls are documented and audit-ready.

Explore the Verisq AI Trust Operations platform →