Threat actors are targeting systems with high-performance computers in an ongoing cryptojacking campaign spread through a coordinated SEO poisoning operation that also manipulated AI chatbot recommendations. ​The compromise occurs through malicious download pages for utility software typically installed by owners of powerful systems, like CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, and PDFgear. Once a system is infected, the attacker gets persistent access on the machine by deploying the legitimate remote management ScreenConnect tool, which could later be used to install additional malware. Microsoft researchers discovered the campaign and determined that the attack begins when users look for one of the aforementioned utilities and are presented with malicious links boosted in search rankings through SEO poisoning. However, some reports in April indicated that users were directed to the malicious domains after interacting with AI-based assistants. “In these cases, users querying AI chatbots for software download recommendations were presented with links to attacker‑controlled domains within generated responses,” Microsoft says. The malicious download is a ZIP archive hosted on a subdomain at gleeze[.]com, a domain that has been flagged in the past for being associated with phishing websites. According to Microsoft, the archive includes the legitimate executable for the legitimate utility as well as a malicious DLL that is automatically loaded when launching the benign binary.