Microsoft has identified an active cryptojacking campaign that targeted high-value gaming and workstation PCs by disguising malware as trusted hardware utilities, then installing a remote-access backdoor that could later be used for ransomware.
Rather than infecting as many machines as possible, the operators behind the campaign targeted ones that were worth mining on.
Microsoft Defender Experts, who are tracking the operation, said it ran a coordinated SEO-poisoning effort impersonating a portfolio of trusted PC utilities, including CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, and PDFgear.
The choice was deliberate. Each tool is favored by hardware enthusiasts, the users most likely to own a high-performance discrete GPU, which is what makes GPU mining worthwhile. Since March 2026, Microsoft has identified more than 150 malicious domains tied to the campaign.
When a user searched for one of these utilities, poisoned results steered them to a lookalike site. The download delivered a ZIP that bundled the genuine utility with a malicious autorun.dll.
Launching the real program sideloaded the DLL, which silently installed a second component disguised as a Visual C++ Redistributable. That component was actually a packaged installer for ScreenConnect.
An Emerging AI-Assisted Delivery Path
The search-poisoning route is well established. Newer, and more tentative, was a second path Microsoft began observing in April.
Microsoft explained that reports emerged in April 2026 showing how users may have been directed to the malicious domains through AI chatbots, receiving links to attacker-controlled domains in responses to download-recommendation queries. VirusTotal traffic metadata offered partial corroboration.
The finding rested on correlated data, rather than confirmed mechanics, and Microsoft noted it did not indicate a systemic problem with any specific AI service.
Still, the company framed the behavior as a plausible extension of SEO poisoning into AI-generated answers, as more users ask chatbots what they once typed into search engines.
A Backdoor That Outlasts the Mining
The mining was almost the least of it. ScreenConnect, a legitimate remote-management tool, handed the operator persistent hands-on-keyboard access.
From there the attacker ran the mining code inside a trusted Microsoft-signed .NET binary, added Defender exclusions, and set up six persistence mechanisms across scheduled tasks, registry keys, and the Startup folder.
That same access, Microsoft warned, could just as easily support data theft, lateral movement, or ransomware later.
Microsoft Defender detected and blocked the activity. To counter this and similar threats, the company recommended enabling cloud-delivered protection, running EDR in block mode, and turning on attack surface reduction rules.
