Find notable cyber news and cases, enriched with sources, timelines, and signals.

GPU cryptomining malware using ScreenConnect and SEO poisoning

Malware Activity
First reported
Last updated
Happening score
H score 16
1 unique sources, 1 articles

Summary

Hide ▲

A cryptojacking malware operation is spreading through SEO-poisoned download pages and, in some cases, AI chatbot recommendations, putting high-performance Windows systems at risk of persistent compromise and GPU abuse. The payload installs ScreenConnect for follow-on access and uses stealth techniques to stay resident after infection. It then deploys GPU miners such as gminer, lolMiner, and SRBMiner-MULTI to maximize cryptocurrency yield per compromised device.

Related Happenings

Mistic backdoor deployment via ClickFix and DLL side-loading

Malware Activity
H score22 First: 25.06.2026 11:54 Last: 25.06.2026 11:54 Sources 1

About this happening: The **Mistic** backdoor is being used in **financially motivated attacks** against organizations across **insurance, education, IT, and professional services**, raising the risk o...

Edgecution malicious Microsoft Edge extension backdoor activity

Malware Activity
H score23 First: 24.06.2026 23:58 Last: 24.06.2026 23:58 Sources 1

About this happening: The **Edgecution** malware is extending a **Microsoft Edge** browser foothold into host-level compromise by abusing **Chrome Native Messaging** and launching a **Python-based back...

ESET analysis of SprySOCKS Windows variants adds IOC-backed detection guidance

Technical Analysis
H score34 First: 16.06.2026 12:00 Last: 16.06.2026 12:00 Sources 1

About this happening: **ESET** identified previously undocumented **Windows variants** of **SprySOCKS**, a backdoor attributed to **FishMonger** and linked to **I-Soon**. The **WIN_DRV** and **WIN_PLUS...

JustAskJacky fake AI assistant malware campaign

Campaign
H score33 First: 04.06.2026 17:00 Last: 04.06.2026 17:00 Sources 1

About this happening: The **JustAskJacky** campaign is distributing a fake **AI assistant** that installs a **backdoor**, turning trusted-looking software into a malware delivery path. The operation us...

AI chatbot cryptojacking campaign targeting high-performance GPU users

Campaign
H score51 First: 27.05.2026 10:45 Last: 27.05.2026 10:45 Sources 1

How related: Threat actors are targeting systems with high-performance computers in an ongoing cryptojacking campaign spread through a coordinated SEO poisoning operation that also manipulated AI chatbot recommendations.

About this happening: An active **cryptojacking campaign** is using **SEO poisoning** and, in some cases, **AI chatbot recommendations** to steer users toward malicious download pages for trusted utili...

Timeline

  1. 28.05.2026 00:31 2 articles · 1mo ago

    Microsoft discovers cryptojacking campaign using SEO-poisoned download pages and ScreenConnect

    Initial Disclosure

    Microsoft researchers discovered an ongoing cryptojacking campaign targeting high-performance Windows systems through SEO-poisoned download pages for utilities such as CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, and PDFgear. The malicious ZIP from gleeze[.]com includes a benign utility and a DLL that loads ScreenConnect for persistent access, then uses process hollowing, Microsoft Defender exclusion tampering, anti-analysis checks, and GPU miners such as gminer, lolMiner, and SRBMiner-MULTI to maximize cryptocurrency yield on compromised devices.

    Show sources