Cryptojacking Campaign Abuses ScreenConnect and .NET

Introduction

Microsoft has uncovered a targeted cryptojacking campaign that goes beyond simple coin mining. The operation uses poisoned search engine results and even AI chatbot-generated software recommendations to direct users to fake download sites, with a clear focus on systems equipped with high-performance GPUs.

For IT teams, this matters because the campaign does not stop at resource hijacking. It also establishes persistent remote access through abused ScreenConnect deployments, creating a pathway for broader compromise.

What’s new

AI-assisted and SEO-poisoned delivery

• Attackers impersonate popular utilities such as CrystalDiskInfo, HWMonitor, FurMark, Display Driver Uninstaller, K-Lite Codec Pack, and PDFgear.
• Users searching for these tools can be redirected to attacker-controlled lookalike sites through traditional SEO poisoning.
• Microsoft also observed indications that AI chatbot responses may have surfaced malicious download links, extending this tactic beyond standard search engines.

DLL sideloading and silent remote access setup

• Malicious ZIP files contain a legitimate executable plus a rogue autorun.dll.
• When launched, the trusted executable sideloads the DLL, which then uses msiexec.exe to silently install another payload.
• That second payload masquerades as vcredist_x64.dll and installs ScreenConnect for persistent remote access.

Post-compromise activity

• After ScreenConnect is established, attackers transfer a SimpleRunPE.exe binary.
• The malware uses process hollowing and hides itself in a concealed folder under the user profile.
• Microsoft notes that the campaign appears optimized for GPU mining yield, not mass infection volume.

Impact on administrators and users

This campaign is especially relevant for organizations with power users, engineers, designers, or developers who may download GPU-related utilities. A successful compromise can lead to:

• Unauthorized GPU resource consumption and degraded system performance
• Persistent attacker access through legitimate remote management software
• Increased risk of lateral movement, credential theft, or ransomware deployment

The abuse of a legitimate tool like ScreenConnect also makes detection and triage more complex for defenders.

Recommended actions

• Enable cloud-delivered protection in Microsoft Defender.
• Run EDR in block mode to help stop post-breach activity.
• Turn on relevant attack surface reduction (ASR) rules.
• Educate users to verify software sources and avoid trusting chatbot-provided download links without validation.
• Review environments for unexpected ScreenConnect installations, suspicious DLL sideloading behavior, and hidden payload paths.

Bottom line

This campaign shows how attackers are blending social engineering, legitimate admin tools, and stealthy execution methods to maximize profit from high-value devices. Security teams should treat fake software download sites and unapproved remote management tool installs as high-priority indicators of compromise.