### AI-Powered Social Engineering **Microsoft Defender Experts** and the **Microsoft Defender Security Research Team** revealed that threat actors are using AI chatbots to promote malicious software, impersonating legitimate system utilities such as CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, and PDFgear. The campaign aims to compromise systems with high-performance GPUs, maximizing mining yield. ### Persistent Access and Data Theft The attackers aren't solely focused on financial gain. They establish persistent remote access via **ScreenConnect** deployments, potentially leading to data theft, lateral movement, or ransomware attacks. ### Attack Chain Details The attack begins with users searching for trusted utilities, leading them to malicious sites boosted by SEO poisoning. More recently, users are being directed to these sites through AI chatbot interactions. "In these cases, users querying AI chatbots for software download recommendations were presented with links to attacker-controlled domains within generated responses," **Microsoft** stated. These sites host download buttons that retrieve ZIP archives from subdomains of gleeze[.]com, hosted by **Dynu**, a dynamic DNS provider often used by malicious actors. Over 150 malicious domains have been identified.  ### Malware Installation and Persistence The downloaded ZIP contains a legitimate executable and a malicious DLL ("autorun.dll") that installs a second DLL named "vcredist_x64.dll" using "msiexec.exe". This file is a packaged installer for **ScreenConnect**. Once installed, **ScreenConnect** attempts to connect to an attacker-controlled server. The **ScreenConnect** session then delivers an executable called "SimpleRunPE.exe". This binary establishes persistence via Registry Run keys and scheduled tasks, configures **Microsoft Defender** exclusions, performs anti-analysis checks, and uses process hollowing to launch the mining code under a trusted **Microsoft**-signed binary. Some compromises involve a **PowerShell** script to fetch the binary from a remote drive, saving it as "vlc.exe" to evade detection, creating a scheduled task to launch it, and then deleting itself. ### Mining Operations The hollowed binary communicates with the attacker's server, transmits host information, downloads the miner archive, and executes it. The malware supports gminer, lolMiner, and SRBMiner-MULTI. The binary also recreates persistence artifacts and re-configures **Defender** exclusions if removed. It monitors running processes, terminating the miner if it detects **Windows Task Manager**, Process Hacker, Process Explorer, or System Informer. ### Microsoft's Broader Security Warnings This disclosure follows **Microsoft's** warning about attackers compromising an internet-facing **F5 BIG-IP** firewall appliance and pivoting to an internal Linux host, exploiting internet-facing edge appliances for initial access. The attacker used the Linux host to move laterally to a vulnerable **Atlassian Confluence** server. They set up an FTP server using **Python's ftplib module** to transfer a custom scanning tool and obtain credentials for authentication against **Windows** infrastructure, followed by Kerberos relay attacks and the exploitation of **CVE-2025-33073**.  "In this incident, the threat actor authenticated to a Linux server over SSH using a privileged account. The threat actor maintained this level of access throughout the observed activity without establishing explicit persistence mechanisms, underscoring the risk posed by over-privileged identities with sudo rights." Earlier this month, **Microsoft** highlighted another intrusion where attackers abused trusted operational relationships and authentication processes via a compromised third-party IT services provider. **Microsoft** advises defenders to adopt a posture of deliberate verification and validate vendor behavior within their environment.