From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities

Microsoft Defender Experts identified an active cryptojacking campaign leveraging AI-assisted delivery mechanisms alongside traditional SEO poisoning. Attackers create fake download sites impersonating trusted utilities like CrystalDiskInfo, HWMonitor, and FurMark, targeting users with high-performance GPUs. Victims download ZIP archives containing legitimate executables bundled with malicious DLLs that establish persistence via ScreenConnect remote access tools. The operation employs sophisticated techniques including DLL sideloading, process hollowing into Microsoft-signed .NET binaries, and comprehensive defense evasion. Beyond cryptocurrency mining, the campaign establishes persistent remote access that could enable data theft, lateral movement, or ransomware deployment. The threat actors deliberately target PC enthusiasts and hardware-focused users most likely to own discrete GPUs suitable for profitable mining operations.

Pulse ID: 6a1634fbefeffa7f0c6a52f5
Pulse Link: https://otx.alienvault.com/pulse/6a1634fbefeffa7f0c6a52f5
Pulse Author: AlienVault
Created: 2026-05-27 00:04:11

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CryptoJacking #CyberSecurity #DataTheft #InfoSec #Microsoft #MicrosoftDefender #NET #OTX #OpenThreatExchange #RAT #RansomWare #Rust #SEOPoisoning #SMS #ScreenConnect #SideLoading #ZIP #bot #cryptocurrency #AlienVault

🛡️ Microsoft Defender peut désormais isoler automatiquement un appareil compromis

👉 https://www.justgeek.fr/microsoft-defender-isolation-automatique-appareil-compromis-151130/

#MicrosoftDefender #Sécurité #Windows #Microsoft #Piratage #Cybersécurité

Microsoft Defender Automatically Isolates Hacked Endpoints

Microsoft Defender for Endpoint just got a major boost with its new automatic isolation feature, which swiftly isolates compromised devices to prevent attackers from wreaking havoc on your organization. This cutting-edge capability is part of Microsoft's automatic attack disruption feature, designed to contain…

https://osintsights.com/microsoft-defender-automatically-isolates-hacked-endpoints?utm_source=mastodon&utm_medium=social

#MicrosoftDefender #EndpointSecurity #AutomaticAttackDisruption #ThreatContainment #EmergingThreats

The Gentleman Ransomware | Defense Evasion TTPs Uncovered

In April and May 2026, investigations revealed two incidents involving The Gentlemen ransomware-as-a-service operation, which has claimed over 400 victims across 70 countries since mid-2025. Both incidents demonstrated common tactics including Scheduled Tasks, PowerShell commands, and defense evasion techniques such as clearing Security, System, and Application Event Logs, disabling Microsoft Defender, and adding antivirus exclusions. A leaked internal database in early May exposed the operation's infrastructure, affiliate structure, and targeting of vulnerabilities like CVE-2024-55591. The attacks showed threat actors using RDP connections, disguised executables, SOCKS proxy connections for persistence, and domain-wide deployment via NETLOGON shares. Despite attempts to evade detection, sufficient forensic telemetry remained for analysis, revealing workstation names previously associated with Qilin ransomware and Lazarus infrastructure.

Pulse ID: 6a0f8f34dd916c38a643df30
Pulse Link: https://otx.alienvault.com/pulse/6a0f8f34dd916c38a643df30
Pulse Author: AlienVault
Created: 2026-05-21 23:03:16

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #ICS #InfoSec #Lazarus #Microsoft #MicrosoftDefender #OTX #OpenThreatExchange #PowerShell #Proxy #RAT #RDP #RansomWare #RansomwareAsAService #bot #AlienVault

Microsoft Discloses Actively Exploited Defender Vulnerabilities

Microsoft warns of two critical vulnerabilities in its Defender software, one of which is being actively exploited by attackers to gain elevated privileges, and the other causing denial-of-service issues. These flaws, tracked as CVE-2026-41091 and CVE-2026-45498, highlight the need for urgent patching to…

https://osintsights.com/microsoft-discloses-actively-exploited-defender-vulnerabilities?utm_source=mastodon&utm_medium=social

#MicrosoftDefender #VulnerabilityExploitation #LocalPrivilegeEscalation #Cve202641091 #Cve202645498

🖥️🛡️ Comment ajouter une exclusion dans Microsoft Defender sur Windows 11

👉 https://www.justgeek.fr/ajouter-exclusion-microsoft-defender-windows-11-150865/

#Windows11 #MicrosoftDefender #SécuritéWindows #Sécurité #Tutoriel

Microsoft Disrupts Zero-Day Attacks with Defender Patch Rollout

Microsoft is taking swift action to protect its users from zero-day attacks with an emergency patch rollout for its Defender software, ensuring that even the most vulnerable systems are safeguarded. The update addresses two critical vulnerabilities that were being actively exploited by hackers.

https://osintsights.com/microsoft-disrupts-zero-day-attacks-with-defender-patch-rollout?utm_source=mastodon&utm_medium=social

#ZeroDay #MicrosoftDefender #Cve202641091 #Cve202645498 #EmergingThreats

https://winbuzzer.com/2026/05/06/microsoft-defender-digicert-root-certificates-cerdigent-false-positive-xcxwbn/

Defender Misflags DigiCert Root Certificates, Breaking Windows SSL Trust

#MicrosoftDefender #Microsoft #DigiCert #Cybersecurity #Malware #AntivirusSoftware #WindowsSecurity #ThreatIntelligence #Windows11 #MicrosoftWindows