Overview
- Microsoft published a detailed analysis Tuesday that says it detected and blocked an active campaign which uses poisoned search results and AI chatbot responses to surface malicious download links.
- The operation directs users to lookalike sites that offer downloads for popular utilities and hardware tools so owners of high‑performance GPUs are more likely to install the payload.
- Downloads deliver a ZIP containing a legitimate executable plus a malicious autorun.dll that sideloads a vcredist_x64.dll via msiexec, with that file acting as an installer for ScreenConnect remote‑access software.
- After ScreenConnect is established attackers drop a runner called SimpleRunPE.exe that creates multiple persistence points, adds Defender exclusions, uses process hollowing and anti‑analysis checks, and fetches GPU miners such as gminer, lolMiner, and SRBMiner‑MULTI.
- Microsoft published IOCs and recommends cloud‑delivered protection, attack‑surface reduction rules, and EDR in block mode while warning that abused remote‑management tools can enable follow‑on threats like lateral movement, data theft, or ransomware.