CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 10, 2026

Hackers Abuse Fake Utility Downloads to Install ScreenConnect and Mine Cryptocurrency

Cybersecurity News Archived Jun 10, 2026 ✓ Full text saved

Hackers are turning everyday software searches into a trap. A sophisticated cryptojacking campaign is actively targeting users who search for popular PC utilities online, luring them into downloading malware-laced files that secretly mine cryptocurrency using their own GPU. The attackers have built a network of more than 150 fake download sites that closely mimic trusted […] The post Hackers Abuse Fake Utility Downloads to Install ScreenConnect and Mine Cryptocurrency appeared first on Cyber Sec

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Hackers Abuse Fake Utility Downloads to Install ScreenConnect and Mine Cryptocurrency By Tushar Subhra Dutta June 10, 2026 Hackers are turning everyday software searches into a trap. A sophisticated cryptojacking campaign is actively targeting users who search for popular PC utilities online, luring them into downloading malware-laced files that secretly mine cryptocurrency using their own GPU. The attackers have built a network of more than 150 fake download sites that closely mimic trusted utility portals. These sites impersonate well-known programs like CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, and PDFgear. Anyone visiting one of these sites and clicking the download button ends up with a ZIP archive containing both the real software and a hidden malicious file. Analysts at Microsoft identified this campaign and published their findings in late May 2026. Microsoft Defender Experts and the Microsoft Defender Security Research Team said in a report shared with Cyber Security News (CSN) that the campaign deliberately targets users who likely own high-performance graphics cards, including gamers, hardware enthusiasts, and AI developers. The logic is calculated: infect fewer machines but squeeze maximum mining value out of each one. What makes this campaign especially alarming is that it has started reaching victims through AI chatbot responses. In April 2026, researchers observed users receiving links to attacker-controlled domains directly from AI chatbot recommendations when asking for software download suggestions. This marks a troubling shift beyond traditional search engine manipulation into a space many users consider more trustworthy. Beyond the financial motive of cryptocurrency mining, the attackers also install ScreenConnect on compromised machines to maintain persistent remote access. Attack chain (Source – Micrfosoft) This opens the door to far more damaging follow-on activity, including data theft, lateral movement through corporate networks, and even ransomware deployment. The campaign is still active and its reach continues to grow. Hackers Abuse Fake Utility Downloads The infection starts the moment a user downloads and runs what looks like a legitimate utility installer. The ZIP file contains the real application alongside a rogue file called autorun.dll, which loads automatically when the legitimate program launches through a technique known as DLL sideloading. Screenshot of search engine results showing a malicious source of hwmonitor (Source – Micrfosoft) This method requires no software exploit and often leaves no visible trace on the screen. Once autorun.dll runs, it drops a second malicious file named vcredist_x64.dll using Windows Installer, which serves as a packaged ScreenConnect installer. After ScreenConnect is in place, the infected machine connects to an attacker-controlled server at 193.42.11[.]108. Through this remote access channel, the attackers push an executable called SimpleRunPE.exe to the victim’s system. Files dropped after extraction of the ZIP file after download (Source – Micrfosoft) SimpleRunPE.exe does the heavy lifting from there. It sets up persistence using Registry Run keys and scheduled tasks, adjusts security tool exclusions to stay hidden, and uses process hollowing to inject mining code into a trusted Microsoft-signed binary. Three GPU miners can be deployed depending on the setup: gminer, lolMiner, and SRBMiner-MULTI. The malware also watches for analysis tools like Windows Task Manager, Process Hacker, and Process Explorer. The moment it detects any of them running, it immediately pauses mining to avoid suspicion. Once those tools close, mining quietly resumes in the background. Persistent Access and What Defenders Should Do The campaign’s use of ScreenConnect turns each compromised machine into a long-term foothold. Even if the mining software is detected and removed, the ScreenConnect backdoor may remain active, giving attackers a way back in. Security teams should actively look for unauthorized ScreenConnect sessions and installations not approved by IT. Microsoft recommends monitoring for unusual GPU usage spikes on desktops and servers as an early sign of unauthorized mining. Correlating web referrer data and endpoint telemetry can help teams connect the dots faster when investigating alerts. Users should only download software directly from official vendor websites and treat any link suggested by an AI tool with the same skepticism they would apply to any search result. Defenders should also set alerts for files like SimpleRunPE.exe and watch for DLLs named autorun.dll or vcredist_x64.dll appearing in unexpected directories. Blocking known malicious domains and monitoring DNS traffic for gleeze[.]com subdomains can help cut off the campaign’s delivery infrastructure before a download occurs. Indicators of Compromise (IoCs):- Type Indicator Description IP Address 193.42.11[.]108 Attacker-controlled ScreenConnect C2 server File Name autorun.dll Malicious DLL sideloaded via legitimate utility executable File Name vcredist_x64.dll Second-stage DLL; packaged ScreenConnect installer File Name SimpleRunPE.exe Dropper responsible for persistence, Defender exclusions, and process hollowing File Name vlc.exe Disguised binary used in select infections (renamed mining dropper) Domain gleeze[.]com (subdomains) Campaign-specific hosting infrastructure for malicious ZIP archives (via Dynu dynamic DNS) Miner Tool gminer GPU cryptocurrency miner deployed as final payload Miner Tool lolMiner GPU cryptocurrency miner deployed as final payload Miner Tool SRBMiner-MULTI GPU cryptocurrency miner deployed as final payload Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Instagram Fixes Password Reset Flaw That Exposes User Emails and Phone Numbers Microsoft Edge Vulnerability Allows Remote Attackers to Execute Arbitrary Code Slow Triage Is Raising Business Risk. Here’s How SOC Teams Cut Investigation Time  New Windows Defender 0-Day Exploit “RoguePlanet” Grants SYSTEM Access to Attackers Critical Veeam Vulnerability Allows RCE Attacks on Backup Servers Latest News Cyber Security News ServiceNow Confirms Vulnerability Allowing Unauthorized Access to Customer Instance Tables Cyber Security News Hackers Infect npm Package dbmux With Malware to Fully Compromise Developer Systems Cyber Security News OpenClaw AI Agent Leaks Sensitive Credentials in New Phishing Attack Simulation Cyber Security News Windows Collaborative Translation Framework 0-Day Vulnerability Allows Privilege Escalation Chrome CISA Warns of Google Chromium 0-Day Vulnerability Exploited in Attacks
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 10, 2026
    Archived
    Jun 10, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗