699eee792235758e12e070c1
GPU mining malware spreads via SEO poisoning, AI chatbots
A new GPU‑mining malware campaign is spreading through SEO poisoning and AI chatbot recommendations, redirecting users seeking common utilities to attacker‑controlled download pages. The attack payload includes a legitimate utility plus a malicious DLL that installs ScreenConnect for persistence, uses process hollowing to inject into Microsoft‑signed binaries, and establishes six persistence points. It then downloads and runs GPU mining tools (gminer, lolMiner, SRBMiner‑MULTI) to monetize compromised machines, with defenders warned to watch for the implicated indicators of compromise.
GPU Mining Malware Spread via SEO Poisoning and AI Chatbots
OverviewThreat actors have orchestrated a cryptojacking campaign that leverages a dual-pronged approach: search engine poisoning and manipulation of AI chat assistants. The objective is to deploy GPU-focused mining software on high-performance workstations and servers, while maintaining persistent, stealthy access to the infected machines. The campaign targets users who download popular utility programs commonly installed on systems with substantial processing power, including disk utilities, monitoring tools, and media/codecs packs.
Initial Access and Distribution
- Malicious download pages masquerade as legitimate utilities. Targeted applications include well-known tools for system health, driver maintenance, stress testing, and multimedia support.
- Search results for these utilities are poisoned to elevate attacker-controlled domains, increasing the likelihood that users click a compromised link.
- In some instances, AI-based assistants have been observed directing users to attacker-controlled domains when users request software download recommendations.
Malicious Payload and Execution Chain
- The malicious download is distributed as a ZIP archive hosted on a subdomain previously flagged for phishing-related activity.
- Inside the archive, a legitimate executable is present alongside a malicious dynamic-link library (DLL). When the legitimate program runs, the malicious DLL is automatically loaded.
- The DLL uses the built-in Windows installer mechanism to install additional components, specifically invoking the installer framework that delivers a remote access tool’s components.
Initial foothold and persistence
- After establishing a foothold through a compromised binary, the attacker initiates a remote session using a legitimate remote management tool that is loaded through the system’s own installer chain.
- During or after the remote session, a secondary binary is dropped. This binary is designed to run covertly and copy itself under a generic, inconspicuous name in a hidden location.
- The dropped component is crafted to establish multiple persistence mechanisms across Windows startup locations, ensuring the malware launches automatically on reboot.
Impersonation and concealment
- Some dropped files masquerade as common, legitimate executables (for example, a well-known media player), aiming to blend into the user environment and avoid suspicion.
- The malware uses known software infrastructures and scripting capabilities to maintain stealth, including attempts to run within a benign Windows utility once inside the system.
Process hollowing and signing abuse
- A notable technique employed by the threat actor is process hollowing, where the malicious code runs inside a legitimate, digitally signed Microsoft binary. This includes attempts to hollow out utilities commonly used for system management and development.
- The malware also leverages the Windows PowerShell environment to manipulate its own path and process visibility within the system’s security tools.
VM and analysis-detection checks
- The malware performs checks to detect virtual machines and a list of processes commonly associated with security analysis and debugging. If any are found, the malware terminates to avoid sandboxing and scrutiny.
Mining payloads and GPU focus
- Following the hollowing and initial persistence stages, one of several mining modules is downloaded and executed. The campaign supports multiple GPU-mining programs designed to maximize cryptocurrency yield from compromised devices.
- The supported mining tools include variants commonly used for GPU-based mining, configured to operate with minimal user disruption and to optimize resource usage on the infected machine.
Campaign characteristics and monetization strategy
- This campaign is distinguished by its monetization approach, prioritizing high-yield cryptocurrency mining on each compromised device rather than broad dissemination. The attackers tailor their actions to maximize the mining output from the GPU hardware present in the target environment.
- The use of a legitimate utility distribution channel, combined with stealthy persistence mechanisms and process-internal launching methods, reflects a mature, targeted approach to long-term compromise.
Role of SEO Poisoning and AI Assistants
- SEO poisoning plays a central role: legitimate-seeming download pages are boosted in search rankings so victims encounter the attacker-controlled domains first.
- The integration with AI chat assistants adds a second vector: responses generated by chatbots may include links to malicious domains when users seek software downloads, expanding the potential attack surface beyond traditional search results.
Indicators of Compromise
- Presence of a remote management entry point installed via a legitimate installer chain (reusing a known remote access tool).
- A binary dropped after a remote session that copies itself under a generic name into a hidden folder and establishes multiple startup entries.
- A DLL loaded by a legitimate executable, which then invokes system installers to bring in additional components.
- Use of a Windows Installer (msiexec) to install a supporting dynamic-link library associated with the remote access tool.
- Execution of a process hollowing technique inside a Microsoft-signed binary, followed by attempts to run additional Microsoft-signed utilities.
- PowerShell commands that add the malicious path to the system’s exclusion lists in defense products.
- Checks for virtualization and for common analysis tools; detection results in termination of the malicious process.
- Download and execution of GPU mining modules, such as mining software variants designed for high-throughput graphics cards.
- Access to attacker-controlled domains linked to phishing campaigns, including domains previously flagged for malicious activity.
Impact and Threat Landscape
- The campaign highlights a shift in threat actor priorities toward sustained, device-specific monetization via GPU mining.
- By embedding within commonly used utilities and leveraging trusted software distribution channels, attackers reduce friction for victims while increasing the potential mining return.
- The combination of SEO manipulation and AI-assisted guidance amplifies the reach of the campaign, potentially affecting a broad ecosystem of users who search for and download popular tools.
Operational Timeline and Context
- The emergence of these techniques is contextually recent, aligning with reports of poisoned search results and AI-assisted redirection observed in early 2026.
- Domain history associated with phishing and credential harvesting has been noted in prior security analyses, reinforcing the perceived reliability of attacker-controlled infrastructure in these campaigns.
Concluding Observations
- The convergence of SEO poisoning, AI-assisted guidance, and stealthy post-exploitation techniques demonstrates an advanced approach to GPU mining malware.
- The campaign’s emphasis on persistence, stealth, and device-specific monetization marks a notable evolution in how attackers leverage compromised systems for cryptomining profits.
- As defenses evolve, monitoring for the described indicators, scrutinizing download channels for utility software, and validating the integrity of remote management components will remain critical in detecting and mitigating such threats.
