AI chatbots help Cryptojackers target PC gamers with malicious downloads
Cryptojackers are targeting PC users with high-performance GPUs with fake downloads
Microsoft has confirmed that AI Chatbots are now serving malicious/fake downloads for trusted PC utilities like CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, and PDFgear. Alongside the creation of fake websites that trick modern search engines, these recommendations highlight how easily AI chatbots can be fooled into recommending malware.
Attackers are using these fake downloads to target users who are likely own high-end PCs. These users have systems with the greatest cryptocurrency mining potential. Downloads from this “cryptojacking campaign” also “establishes persistent remote access” to a user’s system by abusing ScreenConnect, enabling data theft and ransomware activity.
Microsoft Defender Experts identified an active cryptojacking campaign in which malicious download sites are surfaced not only through traditional search engine poisoning, but also through AI chatbot interactions. This emerging delivery technique extends social engineering beyond conventional search results and increases the visibility of malicious software recommendations.
The campaign impersonates trusted system utilities including CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, and PDFgear to target users likely to own high-performance GPUs. Rather than maximizing infection volume, the threat actor appears focused on compromising systems with higher mining value.
Beyond cryptocurrency mining, the campaign establishes persistent remote access through abused ScreenConnect deployments that could later support data theft, lateral movement, or ransomware activity. This combination of AI-assisted delivery, software impersonation, and persistent access highlights how threat actors are adapting social engineering and monetization strategies to modern user behavior.
Microsoft Defender detected and blocked activity associated with this campaign. Organizations should enable cloud-delivered protection, run EDR in block mode, and enable attack surface reduction rules to reduce risk.
– Microsoft
AI Chatbots are now recommending downloads from attacker-controlled domains
The existence of this malware-installing campaign proves that there are deep issues with how AIs generate responses. Links are provided to malicious downloads masquerading as official ones. Long-running, trusted websites are being ignored in favour of newly established fake websites that exploit the recommendations system.
This “AI search result poisoning” is an extension of existing “traditional SEO poisoning”. Today’s search engines and AI chatbots can recommend malicious websites/downloads, with no consequences. PC users should be aware that trusting AI chatbots to find download links for popular tools is a risk that’s not worth taking. If you want to keep your PC malware-free, don’t trust an AI to find you a proper download link.
In April 2026, we observed reports indicating that users may have been directed to malicious domains through interactions with large language model (LLM)–based tools. In these cases, users querying AI chatbots for software download recommendations were presented with links to attacker‑controlled domains within generated responses. Analysis of VirusTotal scan associated with these domains further identified traffic metadata referencing chatbot interactions as a potential referral context.
While this behavior is based on observed patterns and correlated data sources, it’s consistent with emerging techniques in AI search result poisoning, representing an extension of traditional SEO poisoning beyond conventional search engines.
– Microsoft
PC users should ensure they download software only from official/trusted sources. They should also ensure that search engines and AI chatbots recommend official download sources. If you want to avoid malware, be careful where you download software.
You can join the discussion on the cryptojackers that are targeting PC gamers on the OC3D Forums.
