From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities
Microsoft Defender Experts identified an active cryptojacking campaign leveraging AI-assisted delivery mechanisms alongside traditional SEO poisoning. Attackers create fake download sites impersonating trusted utilities like CrystalDiskInfo, HWMonitor, and FurMark, targeting users with high-performance GPUs. Victims download ZIP archives containing legitimate executables bundled with malicious DLLs that establish persistence via ScreenConnect remote access tools. The operation employs sophisticated techniques including DLL sideloading, process hollowing into Microsoft-signed .NET binaries, and comprehensive defense evasion. Beyond cryptocurrency mining, the campaign establishes persistent remote access that could enable data theft, lateral movement, or ransomware deployment. The threat actors deliberately target PC enthusiasts and hardware-focused users most likely to own discrete GPUs suitable for profitable mining operations.
Indicators of Compromise
- domain: direct-download.gleeze.com
- hash: 1b2555b09ac62164638f47c8272beb6b0f97186e37d3a54cb84c723ff7a2eee5
- ip: 193.42.11.108
- hash: 4125681f9276487f4318c7ce9c8b6786
- hash: 512b49f441765698c679b5da5f0cc868
- hash: 56b75638beabd690f38de434f7efd623
- hash: 661d4551df34661f3ffc565e2f4ecdbc
- hash: d58ce78503c60c19926ed642f0eb9d53
- hash: 017830597704acd90fb171f3025bc6f28745da57
- hash: 62d5e9ed6c1444469e4b89f3ca6c2047a5e8eb98
- hash: bbeaac7ef00268bd5cc583e26624e760085581dc
- hash: c27a1688fa5a4ec9497da0fc9bd88c8b362234c5
- hash: f9ea4f4b636614226579ac6cbfc8abe21539a8da
- hash: 062bb28765fbaa11f8cc341fa16e2c7f942a122d929cb41f4a0f755b4429f246
- hash: 16562974deec80e41ef57a71a6de8c03ceb393005fb1432f8d9d82c61294ef8c
- hash: 2ee93ccbcd49ed94c65dcf52e7dcb8f0fa0a443ca24c0e0c7f79152efba657b7
- hash: 69077fcf940fc5852fb32beed15636756ebc04ac971b7ed71d36251e7ea70a20
- hash: 7035c2abeb617e828dfda1b119b8544fa9ae15a1d263d18bc5506acaf381f496
- hash: 9ff07c9fafa9c03fdf69e4abf6806aa7c938b5480e7e258f227db0719ecd6386
- hash: a460d00ef93c8ce70d32e48e55781af66a53328fc2dde45519be196c265de074
- hash: c7425fbe6c3a4937934215c54027d4b67202d12ab490682fae03498870d66d06
- hash: cf3f8160eb5a5580e0c35054847e3ac4d01e9fe74fab8bc12bf6e8a40bf696b2
- hash: db2d33c4e6e4a5c2263b56e8303c343305a94dde1fc2968304ba260acbbd9f9f
- hash: e021662a652ba95c8778b991056696ab3c9b0f60d5e23b1e6cf73c3847db6610
- domain: minemine.gleeze.com
- domain: start-download.gleeze.com
- url: http://minemine.gleeze.com:8443/ws
From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities
Description
Microsoft Defender Experts identified an active cryptojacking campaign leveraging AI-assisted delivery mechanisms alongside traditional SEO poisoning. Attackers create fake download sites impersonating trusted utilities like CrystalDiskInfo, HWMonitor, and FurMark, targeting users with high-performance GPUs. Victims download ZIP archives containing legitimate executables bundled with malicious DLLs that establish persistence via ScreenConnect remote access tools. The operation employs sophisticated techniques including DLL sideloading, process hollowing into Microsoft-signed .NET binaries, and comprehensive defense evasion. Beyond cryptocurrency mining, the campaign establishes persistent remote access that could enable data theft, lateral movement, or ransomware deployment. The threat actors deliberately target PC enthusiasts and hardware-focused users most likely to own discrete GPUs suitable for profitable mining operations.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/"]
- Adversary
- null
- Pulse Id
- 6a1634fbefeffa7f0c6a52f5
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domaindirect-download.gleeze.com | — | |
domainminemine.gleeze.com | — | |
domainstart-download.gleeze.com | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash1b2555b09ac62164638f47c8272beb6b0f97186e37d3a54cb84c723ff7a2eee5 | — | |
hash4125681f9276487f4318c7ce9c8b6786 | — | |
hash512b49f441765698c679b5da5f0cc868 | — | |
hash56b75638beabd690f38de434f7efd623 | — | |
hash661d4551df34661f3ffc565e2f4ecdbc | — | |
hashd58ce78503c60c19926ed642f0eb9d53 | — | |
hash017830597704acd90fb171f3025bc6f28745da57 | — | |
hash62d5e9ed6c1444469e4b89f3ca6c2047a5e8eb98 | — | |
hashbbeaac7ef00268bd5cc583e26624e760085581dc | — | |
hashc27a1688fa5a4ec9497da0fc9bd88c8b362234c5 | — | |
hashf9ea4f4b636614226579ac6cbfc8abe21539a8da | — | |
hash062bb28765fbaa11f8cc341fa16e2c7f942a122d929cb41f4a0f755b4429f246 | — | |
hash16562974deec80e41ef57a71a6de8c03ceb393005fb1432f8d9d82c61294ef8c | — | |
hash2ee93ccbcd49ed94c65dcf52e7dcb8f0fa0a443ca24c0e0c7f79152efba657b7 | — | |
hash69077fcf940fc5852fb32beed15636756ebc04ac971b7ed71d36251e7ea70a20 | — | |
hash7035c2abeb617e828dfda1b119b8544fa9ae15a1d263d18bc5506acaf381f496 | — | |
hash9ff07c9fafa9c03fdf69e4abf6806aa7c938b5480e7e258f227db0719ecd6386 | — | |
hasha460d00ef93c8ce70d32e48e55781af66a53328fc2dde45519be196c265de074 | — | |
hashc7425fbe6c3a4937934215c54027d4b67202d12ab490682fae03498870d66d06 | — | |
hashcf3f8160eb5a5580e0c35054847e3ac4d01e9fe74fab8bc12bf6e8a40bf696b2 | — | |
hashdb2d33c4e6e4a5c2263b56e8303c343305a94dde1fc2968304ba260acbbd9f9f | — | |
hashe021662a652ba95c8778b991056696ab3c9b0f60d5e23b1e6cf73c3847db6610 | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip193.42.11.108 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://minemine.gleeze.com:8443/ws | — |
Threat ID: 6a16f9b3e29bf47b50c0d5e1
Added to database: 5/27/2026, 2:03:32 PM
Last updated: 5/27/2026, 3:11:20 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.