AI Chatbot Recommendations Redirect Users to Cryptojacking Malware Sites

Microsoft reported an active cryptojacking campaign that leverages AI chatbot recommendations and SEO-poisoned sites to trick users into downloading trojanized installers impersonating utilities. The payload sideloads a malicious DLL which installs ScreenConnect for persistent remote access, uses process hollowing and Defender exclusion tampering to run GPU miners (gminer, lolMiner, SRBMiner-MULTI), and can be used for follow-on activity (data theft, lateral movement, ransomware); over 150 malicious domains and infrastructure details (e.g., 193.42.11.108, gleeze.com subdomains, Dynu hosting) were identified.