Multi-vector cryptojacking campaign exploits SEO poisoning, ScreenConnect, and .NET tools to target GPU resources
Threat actors are running a coordinated cryptojacking operation that uses SEO poisoning and AI chatbot abuse to distribute malicious sites, then deploys ScreenConnect and Microsoft .NET utilities as initial access and persistence mechanisms to hijack GPU resources on high-performance systems.
Affected
This campaign represents a mature shift in cryptojacking tactics. Rather than relying solely on drive-by downloads or phishing, the threat actors orchestrated a multi-stage supply chain approach: SEO poisoning ensures malicious sites rank for legitimate search terms, AI chatbots amplify distribution by surfacing compromised links in conversational responses, and then ScreenConnect (a legitimate remote support tool with native code execution capability) provides reliable command and control infrastructure. The use of Microsoft.NET utilities as secondary payloads suggests the operators have invested in operational security and tool development that blends in with standard Windows administration.
The targeting of high-performance PCs indicates economic motivation. GPU resources command premium value in cryptocurrency mining markets, particularly if the victims are unaware their systems are running at sustained load. This selectivity differs from indiscriminate botnets and suggests reconnaissance occurs post-compromise.
ScreenConnect's abuse is particularly problematic because the tool is purpose-built for remote access with legitimate enterprise use cases. It provides persistent, reliable command execution channels that evade many traditional endpoint detection solutions. When combined with.NET utilities (which are trusted system components), the operator gains a low-visibility persistence mechanism that resembles legitimate administrative activity.
Organisations should recognise that SEO poisoning remains a viable attack vector despite years of awareness. Search engines and AI systems continue to surface malicious content when queries are sufficiently specific or novel. Defenders must assume that employees will encounter poisoned search results and should enforce strict application allowlisting on high-value systems, restrict ScreenConnect deployment to purpose-built bastion hosts with strong authentication, and monitor for unexpected.NET process execution chains and outbound connections from development or system tools.
The campaign's multi-vector nature and reliance on legitimate tools reflects broader attacker maturity. Simple malware signatures and network indicators will miss this activity. Detection requires behavioral analysis of GPU utilisation, ScreenConnect authentication logs, and.NET process lineage. The risk extends beyond cryptojacking: once ScreenConnect access is established, lateral movement, data exfiltration, or ransomware deployment become trivial follow-on actions.
Sources