GPU cryptomining malware using ScreenConnect and SEO poisoning
Malware Activity
Summary
Hide ▲
Show ▼
A cryptojacking malware operation is spreading through SEO-poisoned download pages and, in some cases, AI chatbot recommendations, putting high-performance Windows systems at risk of persistent compromise and GPU abuse. The payload installs ScreenConnect for follow-on access and uses stealth techniques to stay resident after infection. It then deploys GPU miners such as gminer, lolMiner, and SRBMiner-MULTI to maximize cryptocurrency yield per compromised device.
Related Happenings
Mistic backdoor deployment via ClickFix and DLL side-loading
Malware Activity
H score22
First: 25.06.2026 11:54
Last: 25.06.2026 11:54
Sources 1
About this happening:
The **Mistic** backdoor is being used in **financially motivated attacks** against organizations across **insurance, education, IT, and professional services**, raising the risk o...
Mistic backdoor deployment via ClickFix and DLL side-loading
Malware ActivityAbout this happening: The **Mistic** backdoor is being used in **financially motivated attacks** against organizations across **insurance, education, IT, and professional services**, raising the risk o...
Edgecution malicious Microsoft Edge extension backdoor activity
Malware Activity
H score23
First: 24.06.2026 23:58
Last: 24.06.2026 23:58
Sources 1
About this happening:
The **Edgecution** malware is extending a **Microsoft Edge** browser foothold into host-level compromise by abusing **Chrome Native Messaging** and launching a **Python-based back...
Edgecution malicious Microsoft Edge extension backdoor activity
Malware ActivityAbout this happening: The **Edgecution** malware is extending a **Microsoft Edge** browser foothold into host-level compromise by abusing **Chrome Native Messaging** and launching a **Python-based back...
ESET analysis of SprySOCKS Windows variants adds IOC-backed detection guidance
Technical Analysis
H score34
First: 16.06.2026 12:00
Last: 16.06.2026 12:00
Sources 1
About this happening:
**ESET** identified previously undocumented **Windows variants** of **SprySOCKS**, a backdoor attributed to **FishMonger** and linked to **I-Soon**. The **WIN_DRV** and **WIN_PLUS...
ESET analysis of SprySOCKS Windows variants adds IOC-backed detection guidance
Technical AnalysisAbout this happening: **ESET** identified previously undocumented **Windows variants** of **SprySOCKS**, a backdoor attributed to **FishMonger** and linked to **I-Soon**. The **WIN_DRV** and **WIN_PLUS...
JustAskJacky fake AI assistant malware campaign
Campaign
H score33
First: 04.06.2026 17:00
Last: 04.06.2026 17:00
Sources 1
About this happening:
The **JustAskJacky** campaign is distributing a fake **AI assistant** that installs a **backdoor**, turning trusted-looking software into a malware delivery path. The operation us...
JustAskJacky fake AI assistant malware campaign
CampaignAbout this happening: The **JustAskJacky** campaign is distributing a fake **AI assistant** that installs a **backdoor**, turning trusted-looking software into a malware delivery path. The operation us...
AI chatbot cryptojacking campaign targeting high-performance GPU users
Campaign
H score51
First: 27.05.2026 10:45
Last: 27.05.2026 10:45
Sources 1
How related:
Threat actors are targeting systems with high-performance computers in an ongoing cryptojacking campaign spread through a coordinated SEO poisoning operation that also manipulated AI chatbot recommendations.
About this happening:
An active **cryptojacking campaign** is using **SEO poisoning** and, in some cases, **AI chatbot recommendations** to steer users toward malicious download pages for trusted utili...
AI chatbot cryptojacking campaign targeting high-performance GPU users
CampaignHow related: Threat actors are targeting systems with high-performance computers in an ongoing cryptojacking campaign spread through a coordinated SEO poisoning operation that also manipulated AI chatbot recommendations.
About this happening: An active **cryptojacking campaign** is using **SEO poisoning** and, in some cases, **AI chatbot recommendations** to steer users toward malicious download pages for trusted utili...
Timeline
-
28.05.2026 00:31 2 articles · 1mo ago
Microsoft discovers cryptojacking campaign using SEO-poisoned download pages and ScreenConnect
Initial DisclosureMicrosoft researchers discovered an ongoing cryptojacking campaign targeting high-performance Windows systems through SEO-poisoned download pages for utilities such as CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, and PDFgear. The malicious ZIP from gleeze[.]com includes a benign utility and a DLL that loads ScreenConnect for persistent access, then uses process hollowing, Microsoft Defender exclusion tampering, anti-analysis checks, and GPU miners such as gminer, lolMiner, and SRBMiner-MULTI to maximize cryptocurrency yield on compromised devices.
Show sources
- GPU mining malware spreads via SEO poisoning, AI chatbots — www.bleepingcomputer.com — 28.05.2026 00:31
- GPU mining malware spreads via SEO poisoning, AI chatbots — www.bleepingcomputer.com — 28.05.2026 00:31