GPU cryptomining malware using ScreenConnect and SEO poisoning
Malware Activity
Summary
Hide ▲
Show ▼
A cryptojacking malware operation is spreading through SEO-poisoned download pages and, in some cases, AI chatbot recommendations, putting high-performance Windows systems at risk of persistent compromise and GPU abuse. The payload installs ScreenConnect for follow-on access and uses stealth techniques to stay resident after infection. It then deploys GPU miners such as gminer, lolMiner, and SRBMiner-MULTI to maximize cryptocurrency yield per compromised device.
Related Happenings
AI chatbot cryptojacking campaign targeting high-performance GPU users
Campaign
First: 27.05.2026 10:45
Last: 27.05.2026 10:45
Sources 1
How related:
Threat actors are targeting systems with high-performance computers in an ongoing cryptojacking campaign spread through a coordinated SEO poisoning operation that also manipulated AI chatbot recommendations.
About this happening:
An active **cryptojacking campaign** is using **SEO poisoning** and, in some cases, **AI chatbot recommendations** to steer users toward malicious download pages for trusted utili...
AI chatbot cryptojacking campaign targeting high-performance GPU users
CampaignHow related: Threat actors are targeting systems with high-performance computers in an ongoing cryptojacking campaign spread through a coordinated SEO poisoning operation that also manipulated AI chatbot recommendations.
About this happening: An active **cryptojacking campaign** is using **SEO poisoning** and, in some cases, **AI chatbot recommendations** to steer users toward malicious download pages for trusted utili...
SHub Reaper macOS infostealer variant
Malware Activity
First: 19.05.2026 00:42
Last: 19.05.2026 00:42
Sources 1
About this happening:
The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...
SHub Reaper macOS infostealer variant
Malware ActivityAbout this happening: The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...
Google Ads tax-search ScreenConnect malvertising campaign
Campaign
First: 24.03.2026 19:05
Last: 24.03.2026 19:05
Sources 1
About this happening:
A **malvertising campaign** active since **January 2026** is using **Google Ads** and tax-related search terms to push rogue **ConnectWise ScreenConnect** installers, creating a p...
Google Ads tax-search ScreenConnect malvertising campaign
CampaignAbout this happening: A **malvertising campaign** active since **January 2026** is using **Google Ads** and tax-related search terms to push rogue **ConnectWise ScreenConnect** installers, creating a p...
Syncro MSP agent deploying ScreenConnect for remote access
Malware Activity
First: 15.10.2025 22:22
Last: 15.10.2025 22:22
Sources 1
About this happening:
The **Syncro** payload installs **ScreenConnect** through a hidden remote-management agent, giving operators **remote access** to infected endpoints and a path to **follow-on payl...
Syncro MSP agent deploying ScreenConnect for remote access
Malware ActivityAbout this happening: The **Syncro** payload installs **ScreenConnect** through a hidden remote-management agent, giving operators **remote access** to infected endpoints and a path to **follow-on payl...
APT phishing campaign abusing ScreenConnect, AnyDesk, and Atera
Campaign
First: 13.10.2025 18:45
Last: 13.10.2025 18:45
Sources 1
About this happening:
A wave of **phishing-led RMM abuse** is giving **APT groups** initial access to systems and enabling **persistence** plus **lateral movement** inside compromised networks. The act...
APT phishing campaign abusing ScreenConnect, AnyDesk, and Atera
CampaignAbout this happening: A wave of **phishing-led RMM abuse** is giving **APT groups** initial access to systems and enabling **persistence** plus **lateral movement** inside compromised networks. The act...
Timeline
-
28.05.2026 00:31 2 articles · 1h ago
Microsoft discovers cryptojacking campaign using SEO-poisoned download pages and ScreenConnect
Initial DisclosureMicrosoft researchers discovered an ongoing cryptojacking campaign targeting high-performance Windows systems through SEO-poisoned download pages for utilities such as CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, and PDFgear. The malicious ZIP from gleeze[.]com includes a benign utility and a DLL that loads ScreenConnect for persistent access, then uses process hollowing, Microsoft Defender exclusion tampering, anti-analysis checks, and GPU miners such as gminer, lolMiner, and SRBMiner-MULTI to maximize cryptocurrency yield on compromised devices.
Show sources
- GPU mining malware spreads via SEO poisoning, AI chatbots — www.bleepingcomputer.com — 28.05.2026 00:31
- GPU mining malware spreads via SEO poisoning, AI chatbots — www.bleepingcomputer.com — 28.05.2026 00:31