Poisoned search results lead to cryptojacking

An active cryptojacking campaign is using poisoned search results and abusing common IT tools like ScreenConnect and .NET to install miners.

Microsoft has detailed an active cryptojacking campaign that uses sophisticated social engineering to compromise systems. Attackers are using search engine optimization (SEO) poisoning to promote malicious download sites in search results. In an emerging tactic, these harmful links are also being surfaced through AI chatbot interactions, tricking users into downloading malware disguised as legitimate software. The campaign's primary goal is to install cryptocurrency miners that secretly use the victim's computer resources. This method highlights a shift in how attackers are leveraging modern tools like AI to broaden their reach and exploit user trust in search and chat platforms.

The attack chain is particularly notable for its use of legitimate and signed software to evade detection. Once a user is compromised, the attackers abuse the remote access tool ScreenConnect and Microsoft .NET utilities to execute their malicious payloads. This allows them to install a GPU-based coin miner, which hijacks the system's processing power for mining cryptocurrency. For security teams, developers, and CTOs, this campaign is a critical reminder that trusted tools can be weaponized. The reliance on common IT and developer utilities makes the malicious activity difficult to distinguish from normal administrative tasks, requiring heightened vigilance and robust endpoint monitoring.