Sophisticated GPU Cryptojacking Campaign Surfaced by Microsoft Experts

Microsoft Defender Experts recently identified a highly targeted digital threat spreading across the internet. Specifically, a dangerous GPU cryptojacking campaign is leveraging advanced delivery methods to infect high-performance computing systems. To accomplish this, the operators exploit a mixture of search engine manipulation and artificial intelligence platforms. Therefore, standard web searches for utility software no longer guarantee a safe download experience. Consequently, enterprise security teams must update their behavioral detection models immediately to neutralize this threat.

Poisoning the AI Search Pipeline

To begin with, the threat actors modified classic search engine optimization poisoning to include large language models. For example, users querying AI chatbots for legitimate setup links received malicious recommendations instead. The report states: “This combination of Al-assisted delivery, software impersonation, and persistent access highlights how threat actors are adapting social engineering and monetization strategies to modern user behavior.” Furthermore, the campaign carefully mimics popular system monitoring utilities like CrystalDiskInfo and FurMark. Consequently, this brand selection successfully filters out low-value devices to target enthusiasts. The operators focus exclusively on gaming rigs containing powerful discrete graphics hardware.

Sideloading and Remote Access Persistence

Once a user extracts the deceptive archive, the legitimate executable unknowingly triggers a hidden payload. Specifically, the program implements DLL sideloading to execute a file named autorun.dll silently. Subsequently, this helper module installs a packaged version of the commercial tool ScreenConnect. Interestingly, the attackers abuse this trusted software to transfer secondary malicious components directly. In addition, the malware establishes six independent persistence configurations to survive deep reboots. These mechanisms leverage multiple registry Run keys alongside three scheduled tasks. As a result, the compromised environment remains permanently tethered to the attacker’s controller server.

Executing Process Hollowing Injection

After establishing remote control, the adversary launches a custom dropper to execute a precise process hollowing injection routine. The script specifically targets legitimate Microsoft-signed utilities residing within the local system directories. To explain the process, the report details the execution chain: “The dropper launches the chosen target binary in a suspended state and uses API calls such as WriteProcess Memory, SetThreadContext, Resume Thread to hollow the process.” Consequently, the hidden mining code runs completely under the trusted identity of native binaries like MSBuild.exe. This structural evasion allows the active GPU cryptojacking campaign to avoid triggering standard process alerts.

Self-Repairing Infrastructure and Anti-Analysis

Meanwhile, the injected payload maintains a continuous background validation sequence to ensure smooth operations. The routine inspects the host device every five seconds to rebuild any deleted scheduled tasks. Furthermore, the application invokes PowerShell scripts to register extensive security exclusions automatically. These exclusions cover the entire list of target .NET hollowing candidates. However, the software exits instantly if it encounters a virtualized sandbox or debugging utility. For instance, the malware cross-references active system metrics against known tools like Wireshark or Ghidra. Therefore, automated sandbox architectures fail to analyze the operational logic of the sample.

Monetization Through Dynamic Orchestration

Ultimately, the backend infrastructure relies on selective mining loops to protect its hidden footprint. Instead of packing pre-compiled miners inside the payload, the binary streams them dynamically. The software specifically utilizes popular mining clients like gminer or lolMiner to optimize calculations. Clearly, this modern GPU cryptojacking campaign presents an optimized monetization layout. The document highlights this shift: “The campaign described in this blog takes a more deliberate approach: its operators have built a targeting and monetization strategy engineered from the ground up to maximize GPU mining yield per compromised device.” Consequently, defenders must pivot toward protocol analysis to block outbound connection attempts.

Strategic Mitigation Protocols

To conclude, enterprise organizations should implement immediate defensive enhancements to secure their local perimeter. Security teams must enable cloud-delivered protection modules across all corporate endpoints. In addition, administrators can enforce strict attack surface reduction properties to suppress unauthorized PowerShell calls. Monitoring unexpected WebSocket handshakes targeting dynamic DNS domains also provides excellent threat visibility. Thus, combining robust host-based behavior tracking with rigid egress filters shields vulnerable rigs from expensive monetization attacks.