Our office is open from
Monday to Friday 09:00-17:00
52 Makrygianni Street,
17342 Agios Dimitrios,
Athens, Greece
Phone : (+30) 218 218 3196
Fax : (+30) 210 991 3327
info@computech.gr
Web : www.computech.gr
Copyright © 2026 Computech Business Solutions. All rights reserved.
In addition, this cryptojacking campaign shows how attackers blend trusted tools, poisoned search results, and AI-surfaced links to reach Windows systems. Microsoft also documented the broader abuse chain in its security report on poisoned search results and GPU mining activity.
Cryptojacking Campaign Abuses ScreenConnect and .NET Tools: What Businesses Need to Know
As a result, For enterprises, this is more than a technical curiosity. It shows how attackers now combine social engineering, legitimate remote support software, and built-in system tools to reduce detection and increase persistence.
However, In many cases, users were led to harmful websites through search engine optimization manipulation. AI chatbots also surfaced the same risky destinations.
Why This Cryptojacking Campaign Matters
Cryptojacking is often dismissed as a low-severity threat because it may not steal data directly. However, that view is outdated. When attackers gain access to powerful workstations, servers, or GPU-equipped systems, they can consume expensive compute resources and raise cloud or energy costs.
For example, For organizations running engineering workstations, AI development environments, graphics-heavy systems, or virtualized infrastructure, the impact can be serious. A single compromised machine may not trigger a major incident on its own. Even so, it can signal deeper weaknesses in endpoint protection, application control, or user awareness.
This campaign stands out because it uses several abuse paths at once:
Meanwhile, that mix makes the attack harder to detect and easier to scale.
Cryptojacking Campaign and How SEO Poisoning Drives Initial Access
Overall, SEO poisoning remains one of the most effective ways to reach users at the moment of intent. When someone searches for a utility, installer, or troubleshooting guide, they expect a trustworthy result near the top of the page. Threat actors exploit that trust by creating malicious or compromised pages that rank for popular queries.
In this campaign, poisoned search results directed users toward websites that looked relevant but delivered harmful payloads or redirected them into the attack chain. This is especially dangerous in business settings, where employees may search for remote access tools, support software, or installation packages without verifying the source.
Cryptojacking Campaign and why Search Engine Trust Is a Security Problem
In addition, Traditional security training focuses heavily on email and messaging risks. Yet search engines now play a similar role in enterprise exposure. Employees often search for vendor downloads, software activation instructions, remote support tools, update fixes, and technical documentation.
As a result, If attackers can place a fake or malicious page high in search results, they can bypass many controls that would catch a phishing email. The victim is not tricked by a message. Instead, they actively searched for the target.
ScreenConnect Abuse in the Cryptojacking Campaign
However, ScreenConnect is a legitimate remote support and access solution widely used by IT teams and service providers. Like many remote administration tools, it becomes dangerous when attackers use it to gain persistence or manage compromised systems.
For example, In this campaign, ScreenConnect was abused as part of the delivery and control process. That matters because security tools may not immediately flag it as malicious. After all, the software itself is widely deployed in enterprise environments.
Cryptojacking Campaign and the Risk of Living-Off-the-Land Techniques
Meanwhile, Attackers increasingly rely on living-off-the-land methods. That means they use trusted software already present in the environment rather than deploying obviously suspicious malware.
Overall, this approach offers several advantages:
In addition, For security teams, the challenge is not just blocking a product category. It is understanding context: who launched the tool, from where, under what conditions, and whether the activity matches approved support workflows.
Cryptojacking Campaign and How Microsoft .NET Utilities Fit Into the Attack Chain
The campaign also relied on Microsoft .NET utilities, which are common components in Windows environments. Attackers often abuse these trusted tools to execute scripts, unpack payloads, or run code in a way that looks operational rather than malicious.
As a result, this is a familiar pattern in modern intrusion activity. Instead of dropping a noisy executable and waiting to be caught, attackers use utility-based execution to move quietly through the environment. That can delay detection long enough for mining activity to generate value.
Cryptojacking Campaign and why .NET Abuse Is Harder to Spot
Many organizations allow .NET frameworks and related tools by default because they are essential to business applications and system administration. But that trust can be exploited.
However, When attackers use these utilities for script execution, payload staging, or semi-fileless operations, they can stay within the boundaries of normal enterprise software behavior. For that reason, defenders need behavioral analytics, not just signature-based detection.
AI Chatbots Are Becoming Part of the Exposure Surface
One of the more concerning aspects of this campaign is that malicious websites were also surfaced through AI chatbots. That highlights a growing security issue: users increasingly rely on AI-generated recommendations for software discovery, troubleshooting, and vendor navigation.
For example, If those responses contain unsafe or manipulated links, the result can be the same as a bad search result. Users are guided toward attacker-controlled infrastructure.
What This Means for Business Users
Employees may assume AI-generated suggestions are safer because they feel curated. In reality, AI tools can reflect the web content they ingest, including misleading or malicious sources.
Meanwhile, Organizations should treat AI-assisted browsing and tool discovery as another layer of external content exposure. That does not mean businesses should avoid AI tools altogether. It means they need policies for verifying software sources and training users to validate downloads, support pages, and installer links before trusting them.
Business Impact: More Than Just CPU Waste
Cryptojacking is often described as resource theft, but the business impact goes further. Mining payloads can affect systems in ways that create operational and financial consequences.
Common Enterprise Impacts
For companies running high-value endpoints, especially systems used for AI workloads, video rendering, scientific computing, or development, unauthorized GPU mining can create measurable cost and productivity losses.
Defensive Priorities for Security Teams
Overall, Organizations can reduce exposure to this type of campaign by tightening controls around software discovery, remote access, and runtime monitoring. A layered approach is essential.
1. Restrict Download Sources
In addition, Limit software downloads to approved vendor portals, internal package repositories, or managed software catalogs. Educate users not to rely on top search results or AI-generated links when downloading tools.
2. Monitor Remote Access Tool Usage
As a result, ScreenConnect and similar tools should be monitored closely, even if they are legitimate in your environment. Track who installs or launches them, whether usage aligns with approved support tickets, whether connections come from expected sources, and whether the tool appears on endpoints where it is not normally used.
3. Watch for Unusual .NET Execution Patterns
However, Security teams should baseline normal .NET activity and flag unusual parent-child process relationships, script execution patterns, or unexpected command-line parameters. This is especially important on endpoints that should not regularly run administrative automation.
4. Improve Endpoint Detection and Response
For example, EDR solutions can help identify mining behavior such as sustained high GPU or CPU usage, unusual network connections to mining pools, abnormal process trees, persistence mechanisms, and repeated execution from temporary or user-writable directories.
5. Harden User Awareness Training
Meanwhile, Teach employees how to verify software downloads, recognize manipulated search results, and avoid trusting links from unverified AI outputs. Security awareness should now include search hygiene and AI content validation.
What IT Leaders Should Do Next
For IT and security leaders, the key takeaway is simple. Cryptojacking is no longer just a commodity malware issue. It is an enterprise trust issue involving search, remote administration, and native system tools.
Review whether your organization has clear governance for remote support software, software download approval, user access to AI tools and external search results, monitoring of suspicious compute consumption, and incident response for unauthorized resource use. For broader hardening, teams can also review their antivirus solutions and how they detect unwanted mining behavior.
If these controls are weak, an attacker does not need a sophisticated exploit chain to generate value from your infrastructure. They only need a convincing web page, a trusted utility, and enough time to mine.
Conclusion
This cryptojacking campaign shows how attackers continue to blend trusted software, search manipulation, and modern user behavior to gain access to high-performance Windows systems. By abusing ScreenConnect and Microsoft .NET utilities, and by reaching users through poisoned search results and AI-surfaced links, the threat actors created a low-noise path to GPU mining.
For businesses, the lesson is clear: resource abuse is a security problem, not just an IT nuisance. Strong software governance, endpoint visibility, and user education are now essential defenses against cryptojacking and the broader abuse of trusted tools.
FAQ
What is cryptojacking?
Cryptojacking is the unauthorized use of a device’s computing resources to mine cryptocurrency. Attackers typically run mining software on compromised systems to profit from the victim’s hardware and electricity.
Why is ScreenConnect being used in cryptojacking attacks?
ScreenConnect is a legitimate remote support tool, which makes it useful for attackers who want to blend in with normal administrative activity. If abused, it can help them maintain access and control compromised endpoints more quietly.
How can businesses protect against search poisoning and AI-surfaced malicious links?
Organizations should restrict software downloads to trusted sources, train users to verify links, and apply web filtering and endpoint protection. It also helps to monitor for unusual installations, remote access tools, and unexpected resource spikes on endpoints.
Popular Post
Microsoft 365 Security: Copilot in Excel for
July 1, 2026Microsoft 365 Security: Copilot Cowork Gets Better
June 29, 2026Microsoft 365 Security: 7 Smart Wins
June 27, 2026Popular Categories
Instagram Feeds
computech.gr
Popular Tags
Archives
Recent Posts
Recent Comments
Archives
Categories
Meta
Popular Posts
Microsoft 365 Security: Copilot in Excel for
July 1, 2026Microsoft 365 Security: Copilot Cowork Gets Better
June 29, 2026Microsoft 365 Security: 7 Smart Wins
June 27, 2026Contact Us
Address: 52 Makrygianni str.
P.C. 17342, Ag. Dimitrios, Greece
Phone: +30 218 218 3196
Fax: +30 210 9913 327
Mobile: +30 6945 550 460
Mail: info@computech.gr
Web: https://www.computech.gr