This ongoing cryptojacking campaign targets systems with powerful GPUs by poisoning search engine results and influencing AI chatbot responses to direct users to attacker-controlled domains hosting malicious downloads. The downloads appear as legitimate utility software but include a malicious DLL that installs the ScreenConnect remote management tool for persistent access. The malware employs process hollowing into signed Windows utilities and uses multiple persistence mechanisms. It also evades detection by excluding itself from Microsoft Defender and terminating if analysis tools or virtual machines are detected. After establishing persistence, the malware downloads one of three GPU mining programs (gminer, lolMiner, SRBMiner-MULTI) to maximize mining efficiency on compromised devices.

Infected systems provide attackers with persistent remote access via ScreenConnect, enabling further malware deployment. The primary impact is unauthorized cryptocurrency mining using the victim's GPU resources, which can degrade system performance and increase operational costs. The campaign is notable for its targeted approach to maximize GPU mining yield rather than broad infection volume. There is no indication of data theft or direct system destruction from the provided information.

No official patch is available as this is a malware campaign rather than a software vulnerability. Users should avoid downloading utilities from untrusted sources and verify URLs carefully. Organizations should monitor for the presence of ScreenConnect installations not authorized by IT, and check for persistence mechanisms and process hollowing behaviors described. Microsoft Defender exclusions should be audited to detect unauthorized additions. Since the malware evades detection by checking for analysis environments, employing layered detection strategies including behavioral analysis is recommended. Review the Microsoft advisory linked in the source for indicators of compromise and further guidance.