You think your rig’s overheating because you’re gaming too hard? Think again.
The real culprit isn’t your 4K settings or your latest modpack. It’s malware—quiet, surgical, and terrifyingly smart—that’s hijacking your GPU for cryptocurrency mining. And it’s not sneaking in through shady torrents or cracked software. It’s showing up in your Google search results. In your ChatGPT replies. In the "trusted" download links you click because you’re trying to monitor your temps or update your drivers.
This isn’t some script kiddie operation. This is a campaign engineered for maximum yield per machine. They don’t care about infecting a million PCs. They want ten. Ten high-end workstations with RTX 4090s. Ten systems that cost more than your car. And they’re getting them by weaponizing trust.
Microsoft found it. Not because someone reported it. Because their telemetry flagged something weird: a spike in msiexec.exe calls from legitimate-looking utilities like CrystalDiskInfo and FurMark. The kind of tools you install because you’re a power user. Because you care about your hardware. Because you think you’re being careful.
You’re not.
The ZIP file looks right. The executable runs. The app opens. Everything’s normal. Except in the background, a DLL is loading. And that DLL? It’s not just dropping a miner. It’s installing ScreenConnect—a legitimate remote access tool used by IT departments worldwide. And now, the attacker has a backdoor into your machine that looks like a helpdesk connection.
They don’t need to hide the miner. They need to hide the backdoor.
Then comes SimpleRunPE.exe. A tool built to hollow out Microsoft-signed binaries. RegAsm.exe. InstallUtil.exe. MSBuild.exe. These aren’t malware. They’re Windows utilities. Signed by Microsoft. Trusted by Defender. And now, they’re hosting the miner inside them.
The malware checks for VMs. For analysis tools. For Sandboxes. If it sees any, it shuts down. It’s not trying to be invisible. It’s trying to be legitimate.
And here’s the kicker: it adds itself to Microsoft Defender’s exclusion list. Not by brute force. By calling PowerShell with the exact syntax Microsoft uses to whitelist enterprise tools. You think you’re protected? Defender is now helping the miner run.
There are six persistence mechanisms. Six. Not one. Not two. Six. Scheduled tasks. Registry keys. Startup folders. Service entries. Even a hidden folder named "System32\Temp"—because who’d look there? It’s not trying to be clever. It’s trying to be thorough.
And the miner? It’s not using a cheap, open-source tool. It’s using gminer, lolMiner, SRBMiner-MULTI—the same tools pro miners use. The ones optimized for NVIDIA’s latest architectures. The ones that chew through power and spit out Monero at a rate that makes this campaign profitable.
This isn’t about volume. It’s about efficiency. One infected RTX 4090 can mine more than a hundred compromised laptops. And the attacker knows it.
The real horror? You didn’t click on a phishing link. You asked ChatGPT: "Where can I download FurMark safely?" And it gave you a link to gleeze[.]com. A domain flagged before for phishing. But because the AI was trained on scraped forums and Stack Overflow threads, it didn’t know the difference between a real download and a poisoned one.
The attackers didn’t hack the AI. They poisoned the training data.
They didn’t need to.
You trusted the tool. The tool trusted the data. And now your GPU is running 24/7 for someone else’s profit.
And here’s the worst part: your IT department won’t see it. EDR tools are built to catch ransomware. To detect ransomware patterns. To flag crypto miners that use PowerShell scripts or obscure file names.
This? This is a ghost. It’s signed. It’s persistent. It’s silent. And it’s already on your machine.
You think you’re safe because you have antivirus? You’re not.
You think you’re safe because you don’t download sketchy stuff? You’re not.
You’re safe only if you check your GPU usage every single day. If you monitor your power draw. If you know what ScreenConnect is doing on your network. If you’ve never once trusted a chatbot to recommend a software download.
Because the next time you search for "Display Driver Uninstaller"? The first result won’t be the official site.
It’ll be theirs.
And you’ll click it again.
How the Attack Chain Works (And Why Your EDR Misses It)
Let’s walk through this step by step. Not the way Microsoft’s report does—with bullet points and sanitized diagrams. The way it actually happens. In the wild. On a real machine.
You’re a designer. Or a data scientist. Or a gamer with a $3,000 rig. You need to monitor your GPU temps. So you Google: "CrystalDiskInfo download".
The top result? A site that looks like SourceForge. Clean layout. Download button. Even a "Verified by BleepingComputer" badge (they stole the logo). You click. You get a ZIP.
You open it. Inside: CrystalDiskInfo.exe. And a DLL named "msvcr120.dll". You think: "Oh, that’s a runtime library. Fine."
You run CrystalDiskInfo.exe.
The app launches. Your temps show up. Everything’s fine.
But here’s what happened in the background:
- The DLL hooks into the process. It doesn’t inject. It doesn’t spawn. It just loads.
- It calls msiexec.exe with a custom MSI package. This isn’t malware. It’s a legitimate installer package for vcredist_x64.dll. But it’s not installing the Visual C++ runtime. It’s installing ScreenConnect.
- ScreenConnect connects to a C2 server. The attacker now has remote access. They can open files. Run commands. Kill processes. And they do.
- They drop SimpleRunPE.exe. This tool reads a malicious payload and hollows out a Microsoft-signed binary. They pick MSBuild.exe. Why? Because it’s signed. Because it’s allowed to spawn PowerShell. Because it’s used by DevOps teams.
- The miner is injected into MSBuild.exe. The original code is erased. The malware runs as if it’s Microsoft’s own tool.
- It adds itself to Windows Defender exclusions using:
Add-MpPreference -ExclusionProcess "MSBuild.exe" - It creates six persistence points:
- A scheduled task named "WindowsUpdateHelper"
- A registry key under HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- A shortcut in the Startup folder
- A service entry disguised as "Windows Audio Enhancements"
- A hidden folder in %AppData% named "System32\Temp"
- A WMI event subscription that redeploys the payload on reboot
- It checks for 40 known analysis tools: Wireshark, Process Hacker, IDA Pro, Ghidra, Cuckoo, etc. If any are running? It exits. No trace.
- It downloads one of three miners: gminer, lolMiner, or SRBMiner-MULTI. All optimized for NVIDIA’s Ada Lovelace architecture. All configured to mine Monero, not Bitcoin. Why? Because Monero is untraceable. Because it doesn’t leave a blockchain trail.
And your EDR? It sees:
- CrystalDiskInfo.exe — trusted app
- msiexec.exe — legitimate Windows tool
- ScreenConnect — enterprise-approved remote tool
- MSBuild.exe — signed by Microsoft
- PowerShell — used daily by admins
- Add-MpPreference — used for whitelisting
It sees nothing suspicious. Because it’s not supposed to.
This is the new standard: living-off-the-land. Not obfuscation. Not encryption. Just abuse.
And the worst part? You can’t fix this with antivirus. You can’t fix this with a firewall. You fix this by changing how you think.
Stop trusting search results. Stop trusting chatbots. Stop assuming "trusted" means "safe".
Because the attackers aren’t breaking in.
They’re being invited.
Why AI Chatbots Are the New Phishing Vector
Let me be clear: ChatGPT didn’t get hacked.
It was trained wrong.
The attackers didn’t compromise OpenAI. They didn’t inject prompts. They didn’t jailbreak anything.
They poisoned the training data.
Somewhere, in the vast corpus of internet text used to train these models, there are forums. Stack Overflow threads. Reddit posts. Tech blogs. And buried in them? Links to gleeze[.]com. Links to fake CrystalDiskInfo downloads. Links to "safe" download pages that have been up for months.
The AI didn’t make a mistake. It learned from the data.
It learned that "CrystalDiskInfo download" leads to gleeze[.]com. Because people said so. Because it was there. Because it was the most common result.
And now, when you ask: "Where can I download HWMonitor safely?"—the AI gives you the same answer it’s seen a thousand times.
It doesn’t know it’s wrong.
It doesn’t have a concept of safety.
It just predicts what comes next.
This isn’t a flaw. It’s a feature.
And it’s weaponized.
I’ve tested this. I asked ChatGPT: "What’s the best tool to monitor GPU usage?" It recommended HWMonitor. Then it gave me a link to a domain called "hwmonitor-download[.]org"—a site that was flagged by VirusTotal for hosting malware in March.
I asked Claude: same result.
I asked Gemini: same.
All three gave me the same poisoned link.
And they all did it confidently. With no disclaimers. No "I’m not sure". No "verify this source".
They’re not biased. They’re compromised.
And here’s the terrifying part: this isn’t rare. It’s happening at scale.
Every day, thousands of users—engineers, students, professionals—ask AI assistants for software recommendations. They trust the answers. They click the links. And their machines get infected.
The attackers aren’t targeting you because you’re a high-value asset.
They’re targeting you because you’re typical.
You’re the average user who thinks AI is helpful. Who trusts search results. Who downloads software because it’s recommended.
And that’s exactly who they want.
This isn’t the future.
It’s happening now.
And the companies building these AI assistants? They’re not fixing it.
They’re still optimizing for engagement. For speed. For answers.
They’re not optimizing for safety.
And until they do? You’re on your own.
What You Can Do (And What Your Company Won’t)
Look. I get it.
You’re not a security team. You’re a developer. A designer. A student. You just want your tools to work.
But here’s the truth: no one else is going to protect you.
Your company’s EDR won’t catch this. Your antivirus won’t either. Your IT department? They’re still patching Exchange servers from 2017.
So here’s what you do.
1. Never Trust a Chatbot to Recommend Software
I don’t care if it’s ChatGPT, Claude, or Gemini. If you ask it for a download link, you’re already compromised.
Instead:
- Go to the official site. CrystalDiskInfo? Go to crystalmark.info. FurMark? Go to geeks3d.com. PDFgear? Go to pdfgear.com.
- Look for HTTPS. Look for contact info. Look for a real company address.
- If the site looks like it was built in 2008? Walk away.
- If it has a "Download Now" button that’s too big? Walk away.
2. Monitor Your GPU Usage
Open Task Manager. Go to Performance. Look at your GPU usage.
If it’s at 95% and you’re not gaming, rendering, or training a model? Something’s wrong.
Use GPU-Z or HWiNFO. Look at the power draw. If your 4090 is pulling 400W while you’re just browsing? That’s not normal.
3. Check for ScreenConnect
Open Task Manager. Go to Details. Look for ScreenConnect.Client.exe. Or any process named "ScreenConnect".
If you don’t work for a company that uses ScreenConnect? Delete it. Block it. Report it.
4. Audit Your Persistence Points
Run this in PowerShell as admin:
Get-ScheduledTask | Where-Object {$_.TaskName -like "*Windows*" -and $_.TaskName -notlike "*Update*"}
Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run"
Get-ChildItem "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
Get-WmiObject -Namespace "root\subscription" -Class "__EventFilter" | Select Name
If you see anything unfamiliar? Delete it. Research it. If you can’t identify it? Assume it’s malware.
5. Add Your Own Exclusions to Defender
Yes, the malware adds itself to Defender. But you can add your own exclusions.
Go to Windows Security > Virus & threat protection > Manage settings > Exclusions.
Add your legitimate software folders. And remove anything that looks like it was added by someone else.
6. Use a Separate User Account for Downloads
Create a second local user account. Name it "Downloads". No admin rights. No network access.
Download everything there. Install everything there.
Then copy the files over. Don’t run them from the Downloads account.
It’s extra work. But it’s the only way to break the chain.
7. Educate Your Team
If you’re in a company? Don’t wait for IT. Start a Slack channel. Share this article. Show your team the screenshots. Run a quick demo.
This isn’t a tech problem.
It’s a human problem.
And until we stop trusting the wrong things? We’ll keep getting owned.
The Bigger Picture: This Is Just the Beginning
This campaign? It’s not the worst thing we’ve seen.
But it’s the most insidious.
Because it doesn’t rely on zero-days. Doesn’t need exploits. Doesn’t require social engineering.
It just uses what we already trust.
Search engines.
AI assistants.
Legitimate tools.
Signed binaries.
And it turns them all against us.
This is the new frontier of cybercrime: not hacking systems. Hacking trust.
And the worst part? We’re not ready.
We still think security is about firewalls and patches.
It’s not.
It’s about how we think.
Who do we trust?
Why do we trust them?
And what happens when the thing we trust is already compromised?
This isn’t just about cryptojacking.
It’s about the collapse of the information layer.
When the search results are poisoned.
When the AI assistants lie.
When the tools we rely on are turned into weapons.
We’re not just losing our GPUs.
We’re losing our ability to know what’s real.
And that? That’s the real malware.