Cybersecurity News

🤖 AI Chatbots Deliver Cryptojacking Malware — Microsoft Warns

By A Yousaf Tanoli, hobbyist with a keen interest in password security and online safety · 27 May 2026 · 9 min read · 1,837 words

Microsoft has warned of an active cryptojacking campaign that uses AI chatbot interactions to redirect users to malicious download sites — a technique that extends social engineering beyond traditional search engines into the heart of how millions now discover software. The campaign, disclosed on 26 May 2026 by Microsoft Defender Experts, targets users of system utilities like CrystalDiskInfo, HWMonitor, and Display Driver Uninstaller, but what makes it different from standard SEO poisoning is the AI-assisted delivery channel. This follows a string of recent credential-related incidents, including the 184 million plain-text password leak discovered earlier this month, underscoring how credential theft remains the dominant attack vector in 2026.

We analysed the attack chain, the implications for credential security, and what you can do right now to protect your systems. For creating strong, unique passwords that guard your accounts even if a machine gets compromised, you can use the TitanPasswords FIPS-compliant generator or our dedicated password tools. For more on choosing the right protection, see our expert comparison of the best password managers for banking security.

What Is the AI-Assisted Cryptojacking Campaign?

Microsoft's Defender Security Research Team published a detailed report on 26 May 2026 documenting an active campaign where threat actors use two parallel delivery channels:

  1. Traditional SEO poisoning — Malicious download sites appear in search engine results for popular system utilities
  2. AI chatbot recommendation poisoning — Users querying large language model (LLM) chatbots for software download recommendations were presented with links to attacker-controlled domains within generated responses

According to Microsoft, the AI-assisted delivery was observed in April 2026 through analysis of VirusTotal traffic metadata that corroborated chatbot interactions as a referral context. The campaign operates through more than 150 malicious domains impersonating trusted brands including CrystalDiskInfo, HWMonitor, Display Driver Uninstaller (DDU), FurMark, K-Lite Codec Pack, and PDFgear.

The threat actors deliberately target users likely to own high-performance GPUs — PC enthusiasts, gamers, and hardware reviewers — because compromised systems with powerful graphics cards offer higher cryptocurrency mining value. This is a precision operation, not a spray-and-pray malware campaign.

The Attack Chain: From AI Chat to Compromised Machine

The infection chain unfolds in four stages:

Stage 1: Social Engineering via AI or Search

A user searches for "download HWMonitor" or asks their AI chatbot for a hardware-monitoring tool recommendation. The chatbot (or search engine) surfaces an attacker-controlled domain that looks legitimate. Microsoft observed more than 150 domains involved in this campaign, all linked to a dynamic DNS infrastructure provided by Dynu, a service frequently abused by threat actors.

Stage 2: DLL Sideloading

The download site serves a ZIP archive from a campaign-specific subdomain of gleeze[.]com. Inside the archive: the legitimate executable for the utility plus a malicious DLL named autorun.dll. When the user launches the executable, the legitimate program unwittingly loads the malicious DLL via DLL sideloading — no exploit required, no error message displayed. Microsoft identified nine distinct autorun.dll variants across this campaign.

Stage 3: Silent ScreenConnect Installation

autorun.dll uses msiexec.exe to silently install a second DLL named vcredist_x64.dll (masquerading as a Visual C++ Redistributable). This file is a packaged installer for ScreenConnect, a legitimate remote management tool. The campaign abuses ScreenConnect to establish persistent remote access to compromised hosts, which can then be leveraged for:

Stage 4: Process Hollowing and Persistence

Once the ScreenConnect session is active, the attacker drops SimpleRunPE.exe — a binary that uses process hollowing to inject mining code into a trusted Microsoft-signed binary. The malware also establishes persistence via Registry Run keys and scheduled tasks, configures Microsoft Defender exclusions to avoid detection, and runs anti-analysis checks. If users open Task Manager or Process Hacker, the miner immediately terminates itself — a classic evasion technique.

Why This Matters for Your Credential Security

Campaigns like this one highlight a growing reality: credential theft is often a secondary objective, achieved after the initial compromise. A machine infected with cryptojacking malware via a poisoned AI recommendation can later be used to steal saved passwords, browser cookies, session tokens, and credential database files. According to the 2025 Verizon Data Breach Investigations Report, more than 80% of web application breaches involve weak, stolen, or reused credentials — and once an attacker has a foothold on your machine, extracting those credentials becomes trivial.

The IBM Cost of a Data Breach 2025 report found that compromised credentials were the most common initial attack vector, costing organisations an average of $4.81 million per incident. The ScreenConnect backdoor installed by this campaign gives attackers exactly the kind of persistent access needed to steal credentials over time.

This is why strong password hygiene matters even if you're careful about what you download. If your machine becomes compromised through a trusted utility download — one that a chatbot recommended — the attacker still can't use your passwords if they're protected by a robust password manager with hardware-backed encryption. The NIST SP 800-63B guidelines recommend using unique, randomly generated passwords for every account, which prevents a single compromised machine from giving attackers access to your entire digital life.

How to Protect Yourself from AI-Powered Malware Campaigns

Based on our analysis of this campaign and the broader threat landscape, here are the steps every user should take:

1. Verify Software Sources Independently

Never click download links from AI chatbot responses without verifying the official source. Use the software vendor's official website (check the URL carefully) or trusted marketplaces like the Microsoft Store. Attackers registered more than 150 domains impersonating legitimate software — typosquatting and lookalike domains are increasingly sophisticated.

2. Use a Password Manager with Strong Encryption

A password manager like Keeper Security or Dashlane Business ensures that even if a machine is compromised, your credentials remain encrypted behind a master password or hardware security key. Kaspersky Premium offers integrated password management with real-time breach monitoring and malware protection — providing both preventive and reactive security in one suite. We covered password manager options in depth in our expert comparison. 🎓 Save 50% Off

3. Enable Credential Guard and EDR

For Windows users, enable Microsoft Defender's cloud-delivered protection and endpoint detection and response (EDR) in block mode. Attackers in this campaign specifically targeted Defender exclusions — having EDR in block mode prevents them from disabling protections even if they gain initial access. The CISA recommends enabling attack surface reduction rules to block common infection vectors like DLL sideloading.

4. Secure Your Communication Channels

Phishing and malware delivery increasingly target communication tools beyond email. Using an end-to-end encrypted communication platform like Trekmail ensures that your sensitive communications — including security alerts and password reset links — remain private even if your network is compromised.

5. Use a VPN for Browsing Protection Get PureVPN — Privacy & Security Online

Many malware delivery campaigns use geographic targeting and IP-based filtering to avoid detection. A reliable VPN like Hide My Name VPN obscures your IP address and encrypts your browsing traffic, making it harder for threat actors to profile and target you. For travel and public Wi-Fi use, Turbo VPN provides an additional layer of security when accessing critical accounts from untrusted networks.

6. Implement the Three-Tier Password Strategy

Not all accounts need the same level of protection. Our Three-Tier Password Strategy helps you prioritise which credentials need the strongest protection — ensuring your email and banking accounts (Tier 1) get 20+ character unique passwords while lower-risk accounts get proportionally appropriate protection.

How AI-Powered Threats Are Evolving

Microsoft's report is the latest in a series of disclosures showing how threat actors are adapting to the AI era. The NCSC (National Cyber Security Centre) has warned that AI tools amplify existing threats rather than creating entirely new ones — but the delivery method matters. When a user trusts an AI chatbot recommendation, the social engineering is more effective because the recommendation feels personalised and authoritative.

The European Union Agency for Cybersecurity (ENISA) noted in its 2025 Threat Landscape report that AI-enabled social engineering is the fastest-growing threat vector, with incidents increasing 300% year over year. The campaign documented by Microsoft confirms this trend: AI chatbots are now actively being used as distribution channels for malware.

What the Campaign's Evolution Means for 2026

Several aspects of this campaign signal where credential threats are heading:

FAQs

How do AI chatbots get poisoned to recommend malware?

AI chatbots generate responses based on their training data and any real-time search results they access. Attackers use SEO poisoning techniques to ensure their malicious download sites appear in the search results that chatbots incorporate. When a user asks for a "safe download link," the chatbot may surface the attacker's domain if it has been SEO-optimised to rank highly. Microsoft's report confirms that VirusTotal traffic metadata showed chatbot referrals to the malicious domains in this campaign.

Can cryptojacking malware steal my passwords?

Yes. While cryptojacking malware's primary purpose is cryptocurrency mining, the ScreenConnect backdoor installed in this campaign provides attackers with full remote control of the compromised machine. From there, they can extract saved browser passwords, session cookies, password manager vault files, and credential database records. Any machine with persistent remote access should be treated as fully compromised.

Is my gaming PC at higher risk?

Gaming PCs and workstations with high-performance GPUs are specifically targeted by this campaign because they offer higher cryptocurrency mining value. The campaign's operators deliberately selected utilities popular with PC enthusiasts — CrystalDiskInfo, HWMonitor, Display Driver Uninstaller — making gamers and hardware enthusiasts the primary demographic at risk.

How do I check if I've been infected with this malware?

Look for unexpected ScreenConnect client processes running in Task Manager. Check for scheduled tasks with unusual names, particularly those that launch executables from non-standard locations. Microsoft Defender with cloud-delivered protection detects and blocks this campaign. You can also check your browser download history for any ZIP files from unknown domains, especially those ending in gleeze[.]com subdomains.

What should I do if I downloaded software from a chatbot recommendation?

If you downloaded any utility — especially CrystalDiskInfo, HWMonitor, DDU, FurMark, K-Lite Codec Pack, or PDFgear — from a chatbot link or search result in the past two months, run a full Microsoft Defender scan immediately. Then change all passwords stored on that device, starting with your email and banking accounts. Enable multi-factor authentication on all critical accounts as an additional safeguard.

Generate a Free Strong Password →

⚡ Try NordPassGet NordPass Up to 53% Off - 2 Year Family Plan and experience enterprise-grade password security at an affordable price. Features include zero-knowledge encryption, cross-platform sync, and breach monitoring.

class="related" style="margin-top:48px;padding-top:32px;border-top:1px solid var(--s2)">

Related Articles

More Password Security Tools

🔑 SecureKeyGen🛡️ Best Password Generator🔐 Free Strong Password⚡ Instant Password🗝️ Iron Vault Keys🔑 Random Pwd Tool👨‍👩‍👧‍👦 Safe Pass Builder🛡️ Trusty Password⚙️ StrongPassFactory🔑 SecureKeyGen.org📚 TrustyPassword.org
We use cookies to improve your experience. Learn more