thehackernews.com web signal

Microsoft exposes AI chatbot-driven GPU cryptojacking

microsoft cybersecurity ai assistants cybersecurity

Key insights

  • Attackers built and maintained over 150 malicious domains from March 2026, with AI chatbot-assisted lures first observed in April 2026.
  • Malware payloads combine GPU cryptocurrency miners delivered via DLL sideloading with a ScreenConnect remote-access backdoor for persistent access.
  • Microsoft identifies this as the first confirmed large-scale campaign weaponizing AI chatbot recommendation outputs as a malware delivery vector.

Why this matters

Chatbot platforms have become trusted software recommendation engines for hundreds of millions of users, and this campaign demonstrates that recommendation outputs can be poisoned at scale without requiring any compromise of the AI platform itself. The ScreenConnect backdoor component elevates this beyond opportunistic mining into persistent infrastructure compromise, meaning affected organizations face long-tail breach costs that extend well past GPU resource theft. For technical leaders, the March-to-April ramp timeline shows that once a novel attack vector proves viable, adversaries can build out 150-domain infrastructure in under 60 days, outpacing most enterprise detection cycles.

Summary

Microsoft's threat researchers have identified an active campaign using manipulated AI chatbot responses to redirect users toward GPU cryptocurrency miners and a persistent remote-access backdoor. Attackers registered over 150 malicious domains starting in March 2026, then in April began steering chatbot recommendation outputs toward fake downloads impersonating legitimate GPU utilities including CrystalDiskInfo and FurMark. Payloads arrive via DLL sideloading and bundle a ScreenConnect remote-access tool alongside the miner, giving attackers persistent footholds beyond the mining activity itself. Essentially: (Microsoft Security, unattributed threat actor) have confirmed the first large-scale weaponization of AI chatbot recommendation outputs as a malware delivery channel. - Targets are high-performance GPU owners specifically, whose hardware generates disproportionate mining revenue relative to average consumer machines. - The ScreenConnect component means victim machines are compromised infrastructure, not just mining nodes. AI assistants have become trusted software advisors, and that trust is now a documented, actively exploited attack surface.

Potential risks and opportunities

Risks

  • AI chatbot providers (OpenAI, Google, Microsoft Copilot) face reputational and potential regulatory exposure if users can demonstrate measurable harm from chatbot-sourced malicious software recommendations at scale.
  • Enterprises with ScreenConnect-compromised endpoints may have active unauthorized access they have not yet detected, with the backdoor potentially predating organizational awareness by six weeks or more as of late May 2026.
  • The 150-domain infrastructure, if not fully taken down following the Microsoft disclosure, can be retooled for credential phishing or data exfiltration targeting the same high-performance GPU owner demographic within 30 to 60 days.

Opportunities

  • Browser and endpoint security vendors (CrowdStrike, SentinelOne, Malwarebytes) can differentiate by adding AI chatbot recommendation link verification as a named detection capability tied to this confirmed threat pattern.
  • AI output safety and monitoring startups (Protect AI, Lakera, Robust Intelligence) now have a concrete, publicly named threat scenario to anchor enterprise procurement conversations that previously lacked a production-scale incident.
  • Chatbot platform operators have an immediate first-mover window to ship download-link safety scoring or known-malicious-domain filtering on recommendation outputs before a competing platform is publicly named in a follow-on incident.

What we don't know yet

  • The mechanism by which attackers influenced chatbot outputs is unspecified: whether through SEO manipulation of retrieval sources, RAG poisoning, or another injection method has not been confirmed in public reporting.
  • No attribution has been published for the threat actor controlling the 150-domain infrastructure, despite the campaign running continuously since March 2026.
  • Which specific AI chatbot platforms served the malicious recommendations, and whether any have deployed output-level mitigations since the May 26 Microsoft disclosure, remains undisclosed.

Originally reported by thehackernews.com

Read the original article →

Original headline: AI Chatbot Recommendations Weaponized in Active Cryptojacking Campaign, Microsoft Researchers Warn