From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities
ID: 191ed108-b5ee-5c9c-a820-f06aa8afe40c
STIX ID: report--191ed108-b5ee-5c9c-a820-f06aa8afe40c
Feed Name: Microsoft Security
Date Published: 2026-05-26
Date Updated: 2026-05-27
Author: Microsoft Defender Experts and Microsoft Defender Security Research Team
Microsoft Defender describes an active, targeted cryptojacking campaign that lures GPU-capable users to attacker-controlled lookalike sites via SEO poisoning and AI chatbot responses, delivers spoofed utilities containing a malicious autorun.dll that sideloads and installs ScreenConnect, and uses process hollowing and runtime downloader logic to execute GPU miners (gminer, lolMiner, SRBMiner-MULTI). The campaign includes robust persistence, defender-exclusion techniques, host reconnaissance, certificate-pinned WebSocket C2s, and over 150 malicious domains and multiple IOCs; Microsoft provides detection queries and mitigation recommendations such as enabling cloud protection, EDR block mode, ASR rules, and SmartScreen.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.