GPU mining malware spreads via SEO poisoning and AI chatbots

Craig Nash
By
Craig Nash
Tech writer at All Things Geek. Covers artificial intelligence, semiconductors, and computing hardware.
10 Min Read
GPU mining malware spreads via SEO poisoning and AI chatbots

GPU mining malware is spreading to high-performance Windows PCs through a coordinated campaign that exploits both search engine poisoning and artificial intelligence chatbot recommendations, according to Microsoft security researchers. The threat targets gamers and users with powerful graphics cards by disguising malicious installers as legitimate system utilities, then deploys cryptocurrency mining tools that silently consume GPU resources.

Key Takeaways

  • GPU mining malware spreads via fake downloads of CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, and PDFgear.
  • Campaign uses SEO poisoning to surface attacker-controlled lookalike sites in search results and AI chatbot responses.
  • Malicious ZIP archives deploy ScreenConnect remote access, RunPE process hollowing, and GPU miners including gminer and lolMiner.
  • Microsoft Defender detected and blocked activity; users should verify download sources and avoid clicking chatbot-recommended software links.
  • Campaign targets high-end PC users whose discrete GPUs make cryptocurrency mining economically profitable for attackers.

How the GPU Mining Malware Campaign Works

The attack chain begins when users search for common PC utilities or ask AI chatbots where to download system-monitoring software. Instead of reaching legitimate vendor sites, victims land on attacker-controlled lookalike domains that impersonate trusted tools. The fake sites present a download button that appears to offer the real utility but instead delivers a trojanized ZIP archive hosted on gleeze.com subdomains. Once extracted and executed, the installer deploys a malicious DLL that sideloads into a legitimate application, then retrieves ScreenConnect remote access software. Attackers use ScreenConnect to launch a custom RunPE dropper that hollows out Microsoft-signed .NET binaries and injects the mining payload. The final stage downloads GPU-focused cryptocurrency miners such as gminer, lolMiner, and SRBMiner-MULTI. The malware maintains persistence through scheduled tasks, registry Run keys, and startup shortcuts while adding Windows Defender exclusions to evade detection.

AI Chatbots Become an Unexpected Attack Vector

The most concerning element of this campaign is its exploitation of large language model-based tools. Microsoft reported that in April 2026, some users searching AI chatbots for software download recommendations received links to attacker-controlled domains in the generated responses. VirusTotal traffic metadata associated with the malicious domains referenced chatbot interactions as a possible referral context. This represents a novel abuse vector—attackers are not hacking the chatbots themselves but are poisoning the web results the models retrieve and present to users. When a chatbot aggregates search results to answer a user’s question about where to download a utility, it may surface poisoned links without recognizing them as malicious. Users trust chatbot recommendations more readily than random search results, making this attack particularly effective against technically inexperienced users. The campaign demonstrates that AI tools can amplify the reach of traditional web-based threats if those tools rely on unvetted sources.

Why High-End PC Users Are the Target

Attackers specifically target high-performance PCs with powerful discrete GPUs because cryptocurrency mining on consumer hardware is only profitable at scale when the GPU is high-end. A gaming laptop with an RTX 4090 or workstation with multiple discrete cards generates far more mining revenue than a system with integrated graphics. Gamers and content creators—the primary users of high-end discrete GPUs—are also frequent searchers for system utilities and driver management tools, making them ideal targets for SEO poisoning campaigns. The attacker chose to impersonate six specific utilities: CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, and PDFgear. These are exactly the tools hardware-focused users search for when maintaining or troubleshooting their systems. By poisoning results for these utilities, the campaign casts a wide net across the gaming and professional PC communities.

Infrastructure and Persistence Mechanisms

The campaign’s command-and-control infrastructure relies on gleeze.com, a domain hosted by Dynu, a dynamic DNS provider frequently leveraged by threat actors. After the mining payload is injected, the malware establishes a persistent C2 channel over a WebSocket connection to wss://minemine.gleeze.com:8443/ws. The use of dynamic DNS allows attackers to change IP addresses without losing connectivity, making takedowns difficult. Persistence is maintained through multiple redundant mechanisms: scheduled tasks, registry Run keys, and startup shortcuts. This layered approach ensures the miner survives reboots and simple removal attempts. The malware also adds Windows Defender exclusions to reduce the likelihood of detection by Windows Defender. These defense evasion tactics suggest a sophisticated operator with experience in avoiding endpoint security tools.

How This Campaign Compares to Other Cryptojacking Threats

Cryptojacking campaigns have existed for years, but this one stands out for its multi-vector delivery approach. Traditional cryptojacking relied primarily on compromised websites or email attachments. This campaign combines SEO poisoning—a technique that manipulates organic search rankings—with AI chatbot abuse, creating two distinct pathways to the same malicious payload. The use of legitimate utility brands as lures is not new, but the simultaneous impersonation of six different utilities suggests a coordinated, well-resourced operation. The deployment of ScreenConnect as an intermediate stage adds a remote access component that gives attackers flexibility: they can use the same infrastructure to deploy different payloads to different victims, turning compromised PCs into a platform for future attacks. Unlike simpler cryptojacking variants that immediately begin mining, this campaign establishes remote access first, allowing attackers to adapt their strategy if detection occurs.

What Users Should Do Right Now

Microsoft Defender detected and blocked activity associated with the campaign, but users who already downloaded files from poisoned sites should assume their systems may be compromised. Verify software downloads by visiting official vendor websites directly rather than clicking search results or chatbot-recommended links. If you use AI chatbots to find software, cross-reference the recommended links against the official vendor site before downloading. Check for signs of infection: unusual GPU usage when no games or rendering software is running, unexpected CPU load, or new scheduled tasks in Windows Task Scheduler. Users with high-end GPUs should monitor GPU temperature and load in real time using legitimate utilities like GPU-Z or the GPU manufacturer’s own monitoring tools. Run a full system scan with Windows Defender or a third-party antivirus tool if you suspect infection. If you downloaded any of the six impersonated utilities—CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, or PDFgear—from a source other than the official vendor, assume the download was malicious and reinstall from the vendor’s official website after a clean scan.

Is my system at risk if I use AI chatbots?

Not necessarily. The risk exists only if you click links provided by chatbots without verifying them against official vendor sites. AI chatbots are not inherently unsafe—they simply aggregate information from the web, and if the web contains poisoned results, the chatbot may surface them. The safest approach is to always verify software download links independently before executing any installer.

What makes gleeze.com and Dynu important to this attack?

Gleeze.com serves as the hosting infrastructure for the malicious ZIP archives, and Dynu’s dynamic DNS service allows attackers to change the underlying IP address without losing connectivity. This makes it harder for security researchers and law enforcement to take down the campaign by simply blocking an IP address. Dynamic DNS providers are frequently abused by threat actors because they enable persistence and evasion.

Can Windows Defender alone protect me from this campaign?

Microsoft Defender detected and blocked activity associated with the campaign, but defense in depth is always better than relying on a single security tool. Defender is effective, but the best protection is user behavior: download software only from official vendor websites, verify links before clicking, and be skeptical of any download recommended by a chatbot without independent verification.

The GPU mining malware campaign demonstrates that no single security layer—not search engines, not AI chatbots, not even endpoint antivirus—can stop determined attackers. The real defense is user awareness. Verify download sources, distrust convenience, and remember that legitimate software vendors do not hide behind SEO poisoning or chatbot recommendations. High-end PC users are valuable targets because their hardware is profitable to compromise, making them a priority for attackers willing to invest in multi-vector campaigns like this one.

Edited by the All Things Geek team.

Source: Tom's Hardware

Share This Article
Tech writer at All Things Geek. Covers artificial intelligence, semiconductors, and computing hardware.