Microsoft has warned that a fresh cyberattack campaign is happening, where threat actors are abusing AI chatbot suggestions to steer people toward download pages that are malware-infected. It looks like this campaign is a change-up from the older, more traditional SEO poisoning stuff, and now it leans more on AI-assisted social engineering.
Researchers say the attackers are impersonating familiar and โtrustedโ software utilities like CrystalDiskInfo, HWMonitor, FurMark, K-Lite Codec Pack, and even PDFgear. The targeting seems to be aimed especially at users who have high-performance GPUs. The thinking is that compromised machines like that can generate more profit, mainly through cryptocurrency mining.
Instead of only messing with search engine results, the attackers are now leaning into conversations with AI chatbots. If a user asks an AI helper for software recommendations, they might end up receiving links that point to attacker-controlled websites, but these are dressed up to look legit, like normal download sources. Researchers describe it as a kind of new evolution in search poisoning for the AI age.
After someone downloads the bogus package, the whole attack chain starts with a ZIP archive. Inside, there is a real-looking executable, but alongside it come malicious DLL files. Those DLLs are then sideloaded into memory, so more malware gets installed. That can include remote access tools, plus cryptocurrency miners as well.
Microsoft also noted that the attackers were using ScreenConnect in some cases to keep remote access going after infection. After that, the malware sets up persistence, tampers with security protections, runs anti-analysis checks, and fires up mining components using process hollowing, which is meant to reduce detection chances.
Researchers found support for multiple mining tools, such as gminer, lolMiner, and SRBMiner-MULTI. The malicious software also looks out for security inspection utilities like Task Manager, Process Hacker, and Process Explorer, and if those show up, it will immediately shut down the mining activity.
This campaign sort of shows how cybercriminals adapt fast when user habits shift. As more people lean on AI assistants for guidance and search outputs, attackers are cooking up new methods to bend trust and push malware through what seems like normal, AI-powered interactions.
Cybersecurity groups such as IntelligenceX keep stressing that you should double-check software origins, watch for odd network behavior, and keep solid endpoint protections in place because AI-related cyber threats are getting more advanced all the time.
Top comments (0)