← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities
WHITE AlienVault 2026-05-27 Modified: 2026-05-27
27
IOCs
MEDIUM VOLUME
Microsoft Defender Experts identified an active cryptojacking campaign leveraging AI-assisted delivery mechanisms alongside traditional SEO poisoning. Attackers create fake download sites impersonating trusted utilities like CrystalDiskInfo, HWMonitor, and FurMark, targeting users with high-performance GPUs. Victims download ZIP archives containing legitimate executables bundled with malicious DLLs that establish persistence via ScreenConnect remote access tools. The operation employs sophisticated techniques including DLL sideloading, process hollowing into Microsoft-signed .NET binaries, and comprehensive defense evasion. Beyond cryptocurrency mining, the campaign establishes persistent remote access that could enable data theft, lateral movement, or ransomware deployment. The threat actors deliberately target PC enthusiasts and hardware-focused users most likely to own discrete GPUs suitable for profitable mining operations.
process hollowingcryptojackingseo poisoningscreenconnect abusegpu miningsimplerunpedll sideloading
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
SimpleRunPE RuntimeHost
Indicators of Compromise (27)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 IPv4 hostname URL
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 4125681f9276487f4318c7ce9c8b6786 2026-05-27
FileHash-MD5 512b49f441765698c679b5da5f0cc868 2026-05-27
FileHash-MD5 56b75638beabd690f38de434f7efd623 2026-05-27
FileHash-MD5 661d4551df34661f3ffc565e2f4ecdbc 2026-05-27
FileHash-MD5 d58ce78503c60c19926ed642f0eb9d53 2026-05-27
FileHash-SHA1 017830597704acd90fb171f3025bc6f28745da57 2026-05-27
FileHash-SHA1 62d5e9ed6c1444469e4b89f3ca6c2047a5e8eb98 2026-05-27
FileHash-SHA1 bbeaac7ef00268bd5cc583e26624e760085581dc 2026-05-27
FileHash-SHA1 c27a1688fa5a4ec9497da0fc9bd88c8b362234c5 2026-05-27
FileHash-SHA1 f9ea4f4b636614226579ac6cbfc8abe21539a8da 2026-05-27
FileHash-SHA256 062bb28765fbaa11f8cc341fa16e2c7f942a122d929cb41f4a0f755b4429f246 2026-05-27
FileHash-SHA256 16562974deec80e41ef57a71a6de8c03ceb393005fb1432f8d9d82c61294ef8c 2026-05-27
FileHash-SHA256 1b2555b09ac62164638f47c8272beb6b0f97186e37d3a54cb84c723ff7a2eee5 2026-05-27
FileHash-SHA256 2ee93ccbcd49ed94c65dcf52e7dcb8f0fa0a443ca24c0e0c7f79152efba657b7 2026-05-27
FileHash-SHA256 69077fcf940fc5852fb32beed15636756ebc04ac971b7ed71d36251e7ea70a20 2026-05-27
FileHash-SHA256 7035c2abeb617e828dfda1b119b8544fa9ae15a1d263d18bc5506acaf381f496 2026-05-27
FileHash-SHA256 9ff07c9fafa9c03fdf69e4abf6806aa7c938b5480e7e258f227db0719ecd6386 2026-05-27
FileHash-SHA256 a460d00ef93c8ce70d32e48e55781af66a53328fc2dde45519be196c265de074 2026-05-27
FileHash-SHA256 c7425fbe6c3a4937934215c54027d4b67202d12ab490682fae03498870d66d06 2026-05-27
FileHash-SHA256 cf3f8160eb5a5580e0c35054847e3ac4d01e9fe74fab8bc12bf6e8a40bf696b2 2026-05-27
FileHash-SHA256 db2d33c4e6e4a5c2263b56e8303c343305a94dde1fc2968304ba260acbbd9f9f 2026-05-27
FileHash-SHA256 e021662a652ba95c8778b991056696ab3c9b0f60d5e23b1e6cf73c3847db6610 2026-05-27
IPv4 193.42.11.108 2026-05-27
hostname direct-download.gleeze.com 2026-05-27
hostname minemine.gleeze.com 2026-05-27
hostname start-download.gleeze.com 2026-05-27
URL http://minemine.gleeze.com:8443/ws 2026-05-27
References (1)
↗ https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/