AI chatbot recommendations lure users to cryptojacking malware sites

Microsoft warns of an active cryptojacking campaign that uses poisoned search results and AI chatbot interactions to push victims to lookalike download sites. Attackers serve ZIPs containing legitimate executables alongside malicious autorun.dll files to enable DLL sideloading, silently install a ScreenConnect deployment (disguised as vcredist_x64.dll), drop and hide SimpleRunPE/RuntimeHost, and deploy GPU miners (gminer, lolMiner, SRBMiner-MULTI) using process hollowing and anti-analysis checks; the operation includes persistence, Defender-exclusion tampering, and over 150 domains and IOCs have been identified. Recommended mitigations include enabling cloud-delivered protection, attack surface reduction rules, EDR in block mode, and monitoring for unauthorized remote management activity.