Signal

Cryptojacking campaign uses ai chatbot and poisoned search results to spread malware

Evidence first: scan the strongest sources, then decide whether to go deeper.

Published 2026-05-26 21:35 UTCUpdated 2026-05-27 07:45 UTC

rss

cryptojackingmalwarethreat_actorsincident_responsesecurity_advisory

Trend in the last 24h

Source links open

Source links and full evidence are open here. Archive history, compare-over-time, alerts, exports, API, integrations, and workflow are paid.

Back Evidence (2)Get the free brief by email Start free trial

No card needed for the free brief.

Evidence trail (top sources)

top sources (2 domains)

2 top sources shown

AI Chatbot Recommendations Redirect Users to Cryptojacking Malware Sites

thehackernews · News · thehackernews.com · 2026-05-27 07:45 UTC

From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities

Microsoft Security Blog · News · microsoft.com · 2026-05-26 21:35 UTC

limited source diversity in top sources

View all evidence

Overview

Microsoft Defender Experts have uncovered an active cryptojacking campaign that leverages AI chatbot interactions alongside traditional search engine poisoning to direct users to malicious download sites.

Entities

Microsoft

Score total

0.98

Momentum 24h

Posts

Origins

Source types

Duplicate ratio

Why now

The campaign is currently active and leveraging emerging AI chatbot technology for social engineering.
Increased use of AI in malware delivery signals a shift in attacker tactics requiring updated defenses.
Awareness of this method can help organizations and users better detect and mitigate cryptojacking threats.

Why it matters

Threat actors are evolving delivery methods by combining AI chatbots with traditional search poisoning to increase malware spread.
Targeting high-performance GPUs maximizes cryptojacking profitability and resource exploitation.
Persistent access via ScreenConnect abuse can lead to broader security incidents like data theft or ransomware.

LLM analysis

Topic mix: lowPromo risk: lowSource quality: high

Recurring claims

AI chatbot interactions are used to surface malicious download sites in a cryptojacking campaign
The campaign impersonates trusted system utilities to target users with high-performance GPUs for mining
Persistent remote access is established via abused ScreenConnect deployments, enabling potential data theft or ransomware

How sources frame it

Microsoft Defender Experts: neutral

All evidence

AI Chatbot Recommendations Redirect Users to Cryptojacking Malware Sites

thehackernews · thehackernews.com · 2026-05-27 07:45 UTC

From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities

Microsoft Security Blog · microsoft.com · 2026-05-26 21:35 UTC

Show filters & breakdown

Posts loaded: 0Publishers: 2Origin domains: 2Duplicates: -

Platform

Publisher

Origin domain

Relevance tier

Duplicates only

Showing 2 / 0

Top publishers (this list)

thehackernews (1)
Microsoft Security Blog (1)

Top origin domains (this list)

thehackernews.com (1)
microsoft.com (1)