Malware

GMiner

GMiner is a GPU-focused cryptocurrency mining program used as a final-stage payload in multiple malware and cryptojacking operations described in the source content. Microsoft reported it as one of the miners dynamically deployed in an active 2026 campaign that used more than 150 fake software download sites, SEO poisoning, and in some observed cases AI chatbot-recommended links to lure users searching for utilities such as CrystalDiskInfo, HWMonitor, DDU, FurMark, K-Lite Codec Pack, and PDFgear. In that campaign, victims downloaded ZIP archives containing a legitimate executable and a malicious autorun.dll used for DLL sideloading; the infection chain then installed abused ScreenConnect/ConnectWise Control for persistent remote access, delivered SimpleRunPE.exe, established persistence via Registry Run keys, scheduled tasks, and Startup artifacts, added Microsoft Defender exclusions, performed anti-analysis checks, and used process hollowing into trusted Microsoft-signed .NET binaries such as MSBuild.exe, InstallUtil.exe, RegAsm.exe, RegSvcs.exe, AppLaunch.exe, AddInProcess.exe, and aspnet_compiler.exe. The malware profiled the host, including GPU and system characteristics, communicated with attacker infrastructure including wss://minemine.gleeze[.]com:8443/ws and ScreenConnect-related infrastructure at 193.42.11[.]108, and then selected and downloaded GMiner, lolMiner, or SRBMiner-MULTI at runtime. Microsoft noted the operation appeared to prioritize systems with powerful discrete GPUs, including gamers, hardware enthusiasts, overclockers, and AI users, and warned the ScreenConnect foothold could also support data theft, lateral movement, and ransomware deployment. The content also links GMiner to the Linux-focused ShadowHS framework reported by Cyble, where it appears as one of several supported CPU/GPU mining workflows alongside XMRig, XMR-Stak, and lolMiner, with pool failover logic. High-confidence related indicators and artifacts in the Microsoft-described campaign include autorun.dll, vcredist_x64.dll, SimpleRunPE.exe, RuntimeHost.exe, vlc.exe, gleeze[.]com subdomains, giize[.]com-related domains, and monitoring/evasion behavior triggered by tools such as Task Manager, Process Explorer, Process Hacker, Wireshark, ProcMon, dnSpy, IDA, Ghidra, and x64dbg.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

MITRE ATT&CK

Techniques & procedures

11 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique

T1608.006SEO PoisoningEvidence2

A sophisticated cryptojacking campaign is actively targeting users who search for popular PC utilities online... The attackers have built a network of more than 150 fake download sites that closely mimic trusted utility portals.

Initial Access

1 technique

T1566.002Spearphishing LinkEvidence2

In April 2026, researchers observed users receiving links to attacker-controlled domains directly from AI chatbot recommendations when asking for software download suggestions.

Persistence

1 technique

T1112Modify RegistryEvidence1

The malware simplerunpe.exe invokes PowerShell to call the Add-MpPreference cmdlet, registering both path-based and process-based exclusions.

Privilege Escalation

1 technique

T1055.012Process HollowingEvidence2

SimpleRunPE.exe does the heavy lifting from there... and uses process hollowing to inject mining code into a trusted Microsoft-signed binary.

Stealth

2 techniques

T1055.012Process HollowingEvidence2

SimpleRunPE.exe does the heavy lifting from there... and uses process hollowing to inject mining code into a trusted Microsoft-signed binary.

T1497.001System ChecksEvidence3

The malware also watches for analysis tools like Windows Task Manager, Process Hacker, and Process Explorer. The moment it detects any of them running, it immediately pauses mining to avoid suspicion.

Defense Impairment

1 technique

T1112Modify RegistryEvidence1

The malware simplerunpe.exe invokes PowerShell to call the Add-MpPreference cmdlet, registering both path-based and process-based exclusions.

Discovery

3 techniques

T1082System Information DiscoveryEvidence3

Закрепившись в системе, вредонос собирал подробную информацию о зараженной машине

T1497.001System ChecksEvidence3

T1518Software DiscoveryEvidence1

Rather than embedding the miners directly into the malware, the payload dynamically downloaded the most appropriate mining software after conducting extensive reconnaissance on the victim system, including GPU model, CPU specifications, installed antivirus software, memory configuration, and overall system activity.

Command and Control

2 techniques

T1071Application Layer ProtocolEvidence1

связывался с управляющим сервером и загружал один из майнеров — gminer, lolMiner или SRBMiner-MULTI

T1105Ingress Tool TransferEvidence1

Rather than embedding the miners directly into the malware, the payload dynamically downloaded the most appropriate mining software after conducting extensive reconnaissance on the victim system...

Impact

1 technique

T1496Resource HijackingEvidence5

Anyone visiting one of these sites and clicking the download button ends up with a ZIP archive containing both the real software and a hidden malicious file... secretly mine cryptocurrency using their own GPU.

Other

1 technique

T1562.001Disable or Modify ToolsEvidence1

Defender exclusions The malware simplerunpe.exe invokes PowerShell to call the Add-MpPreference cmdlet, registering both path-based and process-based exclusions.

INDICATORS OF COMPROMISE

IOCs tracked for this family

2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

2 tracked

IPs, domains, and DNS infrastructure linked to this family.

TypeValueLatest sighting

ip.v4●●●●●●●●●●●●View more in apptoday

domain●●●●●●●●●●●●View more in apptoday

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app

cyber security newsNews

Jun 10, 2026

Hackers Abuse Fake Utility Downloads to Install ScreenConnect and Mine Cryptocurrency

gminer is one of the final GPU cryptocurrency mining payloads deployed in the campaign to mine cryptocurrency on victim systems.

toms hardwareNews

May 29, 2026

Microsoft warns GPU mining malware is being spread to users through SEO poisoning and AI chatbots - cryptojacking campaign targets gamers and high-end PC users with downloads disguised as popular PC utilities | Tom's Hardware

GPU-focused cryptocurrency mining software deployed on compromised systems after reconnaissance to mine cryptocurrency while evading user detection.

xakepNews

May 29, 2026

Майнинговая малварь распространяется через рекомендации ИИ-чат-ботов - Хакер

Майнер криптовалют, использующий GPU зараженной системы для добычи криптовалюты.

help net securityNews

May 27, 2026

AI chatbot recommendations lure users to cryptojacking malware sites - Help Net Security

A cryptocurrency mining program downloaded at runtime as part of the final-stage payload.

+4 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching2

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping11

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.