Microsoft said on May 26, 2026 [1], that a GPU-focused cryptojacking campaign is targeting users through SEO-poisoned search results and AI chatbots.
This campaign represents a shift in how malware is distributed, leveraging the perceived trust of AI-generated recommendations to trick users into installing malicious software. By targeting high-performance hardware, attackers can maximize the efficiency of cryptocurrency mining at the victim's expense.
According to the company, the malware is disguised as legitimate PC utilities [1]. These include popular tools such as HWMonitor, CrystalDiskInfo, ScreenConnect, and Microsoft .NET utilities [1]. The campaign specifically targets gamers and owners of high-end PCs, as these systems typically possess the powerful graphics processing units required for profitable mining [1].
Threat actors are using search engine optimization poisoning to ensure their malicious links appear at the top of search results [1]. Furthermore, the campaign has expanded to include AI-chatbot platforms, where the bots may recommend these poisoned links to users seeking technical tools [1]. Once installed, the malware hijacks the GPU resources to mine cryptocurrency, a process known as cryptojacking [1].
Microsoft said the campaign uses these deceptive methods to bypass traditional user caution. Because the software masquerades as essential system utilities, users are more likely to grant the programs the permissions necessary to execute the mining payload [1].
Users are encouraged to download software only from official vendor websites and to remain skeptical of tool recommendations provided by AI chatbots or unverified search results [1].
“The campaign specifically targets gamers and owners of high-end PCs.”
The use of AI chatbots as a delivery vector for malware indicates that threat actors are adapting to the way users discover information. As people increasingly rely on AI for technical recommendations, the 'trust gap' created by these interfaces allows attackers to bypass the skepticism typically applied to standard web advertisements or suspicious emails.
'%2F%3E%0A%20%20%20%20%3Crect%20width%3D'1600'%20height%3D'900'%20fill%3D'url(%23v)'%2F%3E%0A%20%20%20%20%3Cg%20opacity%3D'0.08'%20fill%3D'%23ffffff'%3E%0A%20%20%20%20%20%20%3Ccircle%20cx%3D'1420'%20cy%3D'180'%20r%3D'220'%2F%3E%0A%20%20%20%20%20%20%3Ccircle%20cx%3D'1500'%20cy%3D'760'%20r%3D'120'%2F%3E%0A%20%20%20%20%3C%2Fg%3E%0A%20%20%20%20%3Cline%20x1%3D'80'%20y1%3D'172'%20x2%3D'220'%20y2%3D'172'%20stroke%3D'%23ffffff'%20stroke-width%3D'3'%20stroke-opacity%3D'0.6'%2F%3E%0A%20%20%20%20%3Ctext%20x%3D'80'%20y%3D'140'%20font-family%3D'Inter%2C%20-apple-system%2C%20Helvetica%2C%20sans-serif'%20font-weight%3D'700'%20font-size%3D'28'%20fill%3D'%23ffffff'%20letter-spacing%3D'6'%3EHANNA%20%C2%B7%20NEWS%3C%2Ftext%3E%0A%20%20%20%20%3Ctext%20x%3D'80'%20y%3D'230'%20font-family%3D'Inter%2C%20-apple-system%2C%20Helvetica%2C%20sans-serif'%20font-weight%3D'600'%20font-size%3D'40'%20fill%3D'%23ffffffb3'%20letter-spacing%3D'4'%3ETECH%3C%2Ftext%3E%0A%20%20%20%20%3Ctext%20x%3D'80'%20y%3D'622'%20font-family%3D'Playfair%20Display%2C%20Georgia%2C%20serif'%20font-weight%3D'800'%20font-size%3D'86'%20fill%3D'%23ffffff'%20letter-spacing%3D'-1'%3EChinese%20Sodium-Ion%20Batteries%3C%2Ftext%3E%3Ctext%20x%3D'80'%20y%3D'721'%20font-family%3D'Playfair%20Display%2C%20Georgia%2C%20serif'%20font-weight%3D'800'%20font-size%3D'86'%20fill%3D'%23ffffff'%20letter-spacing%3D'-1'%3EReach%20Tesla%20Performance%3C%2Ftext%3E%3Ctext%20x%3D'80'%20y%3D'820'%20font-family%3D'Playfair%20Display%2C%20Georgia%2C%20serif'%20font-weight%3D'800'%20font-size%3D'86'%20fill%3D'%23ffffff'%20letter-spacing%3D'-1'%3ELevels%3C%2Ftext%3E%0A%20%20%20%20%3Ctext%20x%3D'80'%20y%3D'870'%20font-family%3D'Inter%2C%20-apple-system%2C%20Helvetica%2C%20sans-serif'%20font-weight%3D'500'%20font-size%3D'22'%20fill%3D'%23ffffff66'%20letter-spacing%3D'2'%3Enews.hanna-ai.com%3C%2Ftext%3E%0A%20%20%3C%2Fsvg%3E)
