TL;DR
- Microsoft says a sophisticated cryptojacking campaign is targeting gamers and PC enthusiasts with high-performance GPUs through fake software downloads and manipulated AI chatbot links.
- Researchers found that attackers use advanced evasion methods, including DLL sideloading and process hollowing, to hide mining activity and avoid detection.
- The case also highlights growing cybersecurity concerns surrounding AI-generated search recommendations, even as legitimate cryptocurrency mining continues to operate as a lawful industry.
Microsoft has warned users about a sophisticated malware campaign designed to hijack powerful gaming computers for unauthorized cryptocurrency mining. According to Microsoft Threat Intelligence, the operation mainly targets gamers and hardware enthusiasts whose systems contain advanced GPUs capable of generating higher mining output.
Microsoft Defender Experts uncovered a cryptojacking campaign that combines SEO poisoning, trojanized system utility installers, and remote monitoring tool abuse to hijack GPU resources for cryptocurrency mining. https://t.co/nD9E4Q8XrO
The campaign impersonates trusted system…
— Microsoft Threat Intelligence (@MsftSecIntel) May 26, 2026
The company reported that attackers combine SEO manipulation with poisoned AI chatbot recommendations to direct users toward fake software download pages. Victims searching for hardware monitoring or benchmarking tools may unknowingly install malware disguised as legitimate applications.
Microsoft Malware Campaign Targets Crypto Mining Hardware
Unlike traditional cryptojacking campaigns that aim to infect as many devices as possible, this operation appears more selective. Researchers said threat actors focus on systems with premium NVIDIA and AMD graphics cards to maximize mining efficiency.
Microsoft identified malicious download packages impersonating widely used utilities such as CrystalDiskInfo, HWMonitor, and FurMark. After installation, the malware activates quietly through DLL sideloading, allowing harmful code to execute without immediately raising suspicion.
The malicious software reportedly deploys ScreenConnect, a legitimate remote management tool commonly used by IT administrators. By abusing trusted applications, attackers maintain persistent access while lowering the chance of detection.
Researchers also observed the use of process hollowing, a method that injects mining code into legitimate Microsoft-signed Windows processes. This allows the mining activity to operate in the background while appearing as normal system behavior.
AI Search Manipulation Creates New Security Concerns
Microsoft stated that cybercriminals increasingly exploit AI-generated responses and search engine rankings to distribute malware. Some users reportedly encountered harmful links embedded in chatbot-generated recommendations while searching for PC optimization tools and gaming utilities.
The malware continuously monitors GPU activity and pauses mining operations whenever the computer experiences heavy usage. This tactic helps attackers avoid sudden performance drops that could alert victims during gaming sessions or other demanding tasks.
Cybersecurity analysts noted that the incident reflects a broader criminal misuse of computing resources rather than an issue with cryptocurrency itself. Legitimate crypto mining remains a lawful business activity when users voluntarily contribute processing power. The larger concern involves unauthorized access and the growing abuse of trusted online platforms.
