Microsoft has revealed that a new wave of cryptocurrency mining attacks is targeting high-performance computer users, particularly hardware enthusiasts and PC gamers. Unlike previous attacks that sought large-scale infections, this campaign focuses on maximizing the computational output of individual devices, aiming to hijack high-end GPU resources for illegal mining.
Drive traffic using AI chatbots and search results
Microsoft Defender Experts say attackers are exploiting search engine optimization poisoning to embed malicious links in responses from large language model chatbots. Users seeking to download common system tools or hardware testing software are being redirected to lookalike phishing websites.
Software falsely disguised includes CrystalDiskInfo, HWMonitor, and FurMark. Users who download these receive not legitimate installers, but ZIP archives containing malicious files.
Hide the mining program using system tools
After the malicious file is executed, it silently launches on the system using DLL side-loading. The attack chain then deploys legitimate remote management tools like ScreenConnect to maintain persistent control over the compromised device.
Microsoft stated that the attackers also used techniques such as "process hollowing." A custom .NET payload would first launch a Windows tool signed by Microsoft, then inject mining code into its memory space to reduce the likelihood of detection.
Monitor GPU usage to avoid detection
This type of malware continuously monitors the host system, including GPU usage and user idle time. When system load increases or the user is actively using the computer, the mining program automatically stops to avoid detection through sudden performance drops.
Meanwhile, the malicious program repeatedly invokes Windows PowerShell to add relevant paths to antivirus exclusions, further extending its persistence.
Microsoft stated that Microsoft Defender Antivirus and Microsoft Defender for Endpoint are now able to detect and block threats associated with this attack.