Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

AI chatbot cryptojacking campaign targeting high-performance GPU users

Campaign
First reported
Last updated
Happening score
H score 51
2 unique sources, 2 articles

Summary

Hide ▲

An active cryptojacking campaign is using SEO poisoning and, in some cases, AI chatbot recommendations to steer users toward malicious download pages for trusted utilities. The activity targets high-performance GPUs, delivers a ZIP payload from gleeze[.]com, and installs ScreenConnect for persistence before dropping GPU miners such as gminer, lolMiner, and SRBMiner-MULTI.

Related Happenings

GPU cryptomining malware using ScreenConnect and SEO poisoning

Malware Activity
First: 28.05.2026 00:31 Last: 28.05.2026 00:31 Sources 1

How related: The supported mining programs are gminer, lolMiner, and SRBMiner-MULTI, all of them designed to use graphics processing units (GPUs).

About this happening: A **cryptojacking malware operation** is spreading through **SEO-poisoned download pages** and, in some cases, **AI chatbot recommendations**, putting **high-performance Windows s...

Open Happening

SHub Reaper macOS infostealer variant

Malware Activity
First: 19.05.2026 00:42 Last: 19.05.2026 00:42 Sources 1

About this happening: The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...

Open Happening

TCLBanker self-spreading banking trojan

Malware Activity
First: 08.05.2026 01:06 Last: 08.05.2026 01:06 Sources 1

About this happening: The **TCLBanker** trojan now combines **trojanized installer** delivery with **self-spreading worm modules**, widening access to **59 banking, fintech, and cryptocurrency platform...

Open Happening

Google Ads tax-search ScreenConnect malvertising campaign

Campaign
First: 24.03.2026 19:05 Last: 24.03.2026 19:05 Sources 1

About this happening: A **malvertising campaign** active since **January 2026** is using **Google Ads** and tax-related search terms to push rogue **ConnectWise ScreenConnect** installers, creating a p...

Open Happening

Jinkusu's Starkiller phishing-as-a-service ecosystem commoditizes account takeover

Threat Actor Meta
First: 20.02.2026 22:00 Last: 20.02.2026 22:00 Sources 1

About this happening: A new phishing-as-a-service operation tied to **Jinkusu** is proxying real login pages through attacker infrastructure, making **MFA bypass** and account takeover easier for low-s...

Open Happening

Timeline

  1. 27.05.2026 10:45 3 articles · 14h ago

    Microsoft warns of AI chatbot-led cryptojacking campaign

    Initial Disclosure

    Microsoft warned of an active cryptojacking campaign that uses AI chatbot interactions and SEO-poisoned download sites to steer users toward malicious ZIP archives hosted on campaign-specific subdomains of gleeze[.]com associated with Dynu. The campaign impersonates trusted utilities such as CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, and PDFgear, with a focus on users who own high-performance GPUs. Microsoft said it detected and blocked activity tied to the campaign, and noted that observed iterations in April 2026 shifted delivery from conventional search results to links surfaced in LLM-based chatbot responses.

    Show sources
    Open in new tab