Microsoft flags ScreenConnect abuse in AI-fed cryptojacking campaign
The miner is the opening bill; persistent remote access is the liability that will keep incident responders busy.
TL;DR
Microsoft Defender says it detected and blocked an active cryptojacking campaign that pushes fake downloads for utilities including CrystalDiskInfo, HWMonitor, FurMark and PDFgear through poisoned search results and, in observed cases, AI chatbot recommendations. The operators appear to target users likely to own high-performance GPUs, then abuse ScreenConnect for persistence. For defenders, this is less a coin-miner nuisance than an unauthorized remote monitoring and management foothold with follow-on options.
Microsoft’s useful point here is not that cryptojackers still exist. They do, and Microsoft has been writing about them for years. The operational change is the path to the victim: attacker-controlled download sites surfaced through classic search poisoning and, according to Microsoft’s observed patterns, through AI chatbot interactions that recommended malicious domains. That matters because “download the hardware utility from the first plausible link” is already a bad habit. AI search makes the same habit feel curated.
The campaign impersonates CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack and PDFgear, a list that is not random. Several of those tools are exactly what a user with a discrete GPU might search for while tuning, testing or fixing a machine. Microsoft reads the targeting as deliberate: fewer infections, higher mining yield per compromised host. That is a more disciplined version of cryptojacking, not a more benign one.
The worse part is ScreenConnect. Microsoft says the campaign establishes persistent remote access through abused ScreenConnect deployments, which could later support data theft, lateral movement or ransomware activity. CISA, NSA and MS-ISAC have been warning since 2023 that legitimate remote monitoring and management tools can function as backdoors for persistence or command and control after phishing or other initial access, including ScreenConnect and AnyDesk, and can sometimes run without full installation or administrative privilege (https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a).
So the Monday work is not exotic. Treat fake utility downloads as an endpoint and identity problem, not just a browser-filtering problem. Microsoft recommends cloud-delivered protection, Endpoint Detection and Response in block mode and attack surface reduction rules. More importantly, inventory and constrain remote monitoring and management tooling. If ScreenConnect appears where the help desk did not put it, the GPU fan noise is not the incident. It is the symptom.
Published ·Deep Fathom