Security

Cryptojacking Campaign Abuses ScreenConnect and .NET

3 min read

Summary

Microsoft has detailed an active cryptojacking campaign that uses poisoned search results and AI chatbot recommendations to lure users to fake software download sites. The attack abuses DLL sideloading, ScreenConnect, and Microsoft .NET utilities to gain persistent access and mine cryptocurrency on high-GPU systems, raising the risk of follow-on activity such as data theft or ransomware.

Need help with Security?Talk to an Expert

Introduction

Microsoft has uncovered a targeted cryptojacking campaign that goes beyond simple coin mining. The operation uses poisoned search engine results and even AI chatbot-generated software recommendations to direct users to fake download sites, with a clear focus on systems equipped with high-performance GPUs.

For IT teams, this matters because the campaign does not stop at resource hijacking. It also establishes persistent remote access through abused ScreenConnect deployments, creating a pathway for broader compromise.

What’s new

AI-assisted and SEO-poisoned delivery

  • Attackers impersonate popular utilities such as CrystalDiskInfo, HWMonitor, FurMark, Display Driver Uninstaller, K-Lite Codec Pack, and PDFgear.
  • Users searching for these tools can be redirected to attacker-controlled lookalike sites through traditional SEO poisoning.
  • Microsoft also observed indications that AI chatbot responses may have surfaced malicious download links, extending this tactic beyond standard search engines.

DLL sideloading and silent remote access setup

  • Malicious ZIP files contain a legitimate executable plus a rogue autorun.dll.
  • When launched, the trusted executable sideloads the DLL, which then uses msiexec.exe to silently install another payload.
  • That second payload masquerades as vcredist_x64.dll and installs ScreenConnect for persistent remote access.

Post-compromise activity

  • After ScreenConnect is established, attackers transfer a SimpleRunPE.exe binary.
  • The malware uses process hollowing and hides itself in a concealed folder under the user profile.
  • Microsoft notes that the campaign appears optimized for GPU mining yield, not mass infection volume.

Impact on administrators and users

This campaign is especially relevant for organizations with power users, engineers, designers, or developers who may download GPU-related utilities. A successful compromise can lead to:

  • Unauthorized GPU resource consumption and degraded system performance
  • Persistent attacker access through legitimate remote management software
  • Increased risk of lateral movement, credential theft, or ransomware deployment

The abuse of a legitimate tool like ScreenConnect also makes detection and triage more complex for defenders.

  • Enable cloud-delivered protection in Microsoft Defender.
  • Run EDR in block mode to help stop post-breach activity.
  • Turn on relevant attack surface reduction (ASR) rules.
  • Educate users to verify software sources and avoid trusting chatbot-provided download links without validation.
  • Review environments for unexpected ScreenConnect installations, suspicious DLL sideloading behavior, and hidden payload paths.

Bottom line

This campaign shows how attackers are blending social engineering, legitimate admin tools, and stealthy execution methods to maximize profit from high-value devices. Security teams should treat fake software download sites and unapproved remote management tool installs as high-priority indicators of compromise.

Need help with Security?

Our experts can help you implement and optimize your Microsoft solutions.

Talk to an Expert

Stay updated on Microsoft technologies

cryptojackingScreenConnectDLL sideloadingMicrosoft DefenderSEO poisoning

Related Posts

Security

Salesforce OAuth Abuse: Microsoft Guidance on ShinyHunters

Microsoft detailed how threat activity associated with ShinyHunters abused trusted OAuth relationships in Salesforce to gain persistent access, exfiltrate CRM data, and evade traditional sign-in detections. The company also announced improved Salesforce telemetry and near-real-time detection in Defender for Cloud Apps, giving security teams better visibility into connected apps, OAuth scopes, and suspicious SaaS activity.

Security

Microsoft Entra ID Passkeys Default Rollout Dates

Microsoft will make passkeys the default authentication experience in Entra ID starting September 1, 2026, automatically prompting users currently using SMS or voice MFA to register a passkey. The change matters because Microsoft-provided SMS and voice authentication will be retired on February 1, 2027, pushing organizations toward phishing-resistant authentication and requiring admins to plan migrations now.

Security

Microsoft Secure Future Initiative July 2026 Update

Microsoft’s July 2026 Secure Future Initiative progress report highlights major security gains across identity, cloud resource isolation, vulnerability remediation, and AI-driven defense. The update matters to IT and security teams because it pairs measurable hardening progress with practical guidance on phishing-resistant MFA, secure defaults, composite attack paths, and post-quantum readiness.

Security

GigaWiper Malware: Microsoft Details Destructive Backdoor

Microsoft Threat Intelligence has published a deep analysis of GigaWiper, a Golang-based backdoor that combines command-and-control features with multiple destructive payloads, including disk wiping, fake ransomware, and system sabotage. The research matters because it shows attackers consolidating several malware families into a single modular implant, increasing flexibility while reducing deployment footprint.

Security

Microsoft SFI AI Hardens Cloud Security at Scale

Microsoft detailed an internal multi-agent AI system built under its Secure Future Initiative (SFI) to proactively evaluate and harden live cloud services. The approach speeds up deep security analysis from weeks to hours by correlating code, identity, network, configuration, and runtime signals to uncover composite risks that single-tool reviews can miss.

Security

Cloud Security Posture Management Trends for 2026

Frost & Sullivan’s 2025 Frost Radar shows cloud security posture management is shifting from periodic compliance checks to continuous, risk-based governance within CNAPP platforms. For IT and security teams, the key takeaway is clear: prioritize tools that unify posture, identity, workload, and data signals to reduce risk faster across multicloud environments.