Malware

SRBMiner-MULTI

SRBMiner-MULTI is a GPU-focused cryptocurrency mining program observed as a final payload in an active cryptojacking campaign reported by Microsoft in 2026. In the documented activity, attackers used more than 150 fake software download sites impersonating popular utilities such as CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, and PDFgear to target users likely to own high-performance discrete GPUs, including gamers, hardware enthusiasts, and AI developers/users. Infection commonly began with malicious ZIP archives containing a legitimate executable and a malicious autorun.dll used for DLL sideloading. The sideloaded DLL installed a second-stage component, including a packaged ScreenConnect installer disguised as vcredist_x64.dll, giving the attackers persistent remote access. Attackers then delivered SimpleRunPE.exe, which established persistence via Registry Run keys, scheduled tasks, and Startup artifacts, added Microsoft Defender exclusions, performed anti-analysis checks, and used process hollowing into trusted Microsoft-signed .NET binaries such as MSBuild.exe, InstallUtil.exe, RegAsm.exe, RegSvcs.exe, AppLaunch.exe, AddInProcess.exe, and aspnet_compiler.exe. After host reconnaissance, the malware dynamically selected and downloaded one of several miners, including SRBMiner-MULTI, gminer, or lolMiner, based on system characteristics such as GPU capability. The broader malware monitored for analysis and system-monitoring tools including Task Manager, Process Explorer, Process Hacker, System Informer, dnSpy, x64dbg, IDA, Ghidra, ProcMon, Wireshark, and Fiddler, and paused or terminated mining when such tools were detected. Microsoft also reported campaign infrastructure including gleeze[.]com subdomains, WebSocket C2 at wss://minemine.gleeze[.]com:8443/ws, attacker-controlled ScreenConnect infrastructure at 193.42.11[.]108, and related domains such as directdownload[.]icu. Within this campaign, SRBMiner-MULTI was one of the GPU mining payloads used to monetize compromised hosts.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

MITRE ATT&CK

Techniques & procedures

11 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique

T1608.006SEO PoisoningEvidence2

A sophisticated cryptojacking campaign is actively targeting users who search for popular PC utilities online... The attackers have built a network of more than 150 fake download sites that closely mimic trusted utility portals.

Initial Access

1 technique

T1566.002Spearphishing LinkEvidence2

In April 2026, researchers observed users receiving links to attacker-controlled domains directly from AI chatbot recommendations when asking for software download suggestions.

Persistence

1 technique

T1112Modify RegistryEvidence1

The malware simplerunpe.exe invokes PowerShell to call the Add-MpPreference cmdlet, registering both path-based and process-based exclusions.

Privilege Escalation

1 technique

T1055.012Process HollowingEvidence2

SimpleRunPE.exe does the heavy lifting from there... and uses process hollowing to inject mining code into a trusted Microsoft-signed binary.

Stealth

2 techniques

T1055.012Process HollowingEvidence2

SimpleRunPE.exe does the heavy lifting from there... and uses process hollowing to inject mining code into a trusted Microsoft-signed binary.

T1497.001System ChecksEvidence3

The malware also watches for analysis tools like Windows Task Manager, Process Hacker, and Process Explorer. The moment it detects any of them running, it immediately pauses mining to avoid suspicion.

Defense Impairment

1 technique

T1112Modify RegistryEvidence1

The malware simplerunpe.exe invokes PowerShell to call the Add-MpPreference cmdlet, registering both path-based and process-based exclusions.

Discovery

3 techniques

T1082System Information DiscoveryEvidence3

Закрепившись в системе, вредонос собирал подробную информацию о зараженной машине

T1497.001System ChecksEvidence3

T1518Software DiscoveryEvidence1

Rather than embedding the miners directly into the malware, the payload dynamically downloaded the most appropriate mining software after conducting extensive reconnaissance on the victim system, including GPU model, CPU specifications, installed antivirus software, memory configuration, and overall system activity.

Command and Control

2 techniques

T1071Application Layer ProtocolEvidence1

связывался с управляющим сервером и загружал один из майнеров — gminer, lolMiner или SRBMiner-MULTI

T1105Ingress Tool TransferEvidence1

Rather than embedding the miners directly into the malware, the payload dynamically downloaded the most appropriate mining software after conducting extensive reconnaissance on the victim system...

Impact

1 technique

T1496Resource HijackingEvidence4

Anyone visiting one of these sites and clicking the download button ends up with a ZIP archive containing both the real software and a hidden malicious file... secretly mine cryptocurrency using their own GPU.

Other

1 technique

T1562.001Disable or Modify ToolsEvidence1

Defender exclusions The malware simplerunpe.exe invokes PowerShell to call the Add-MpPreference cmdlet, registering both path-based and process-based exclusions.

INDICATORS OF COMPROMISE

IOCs tracked for this family

2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

2 tracked

IPs, domains, and DNS infrastructure linked to this family.

TypeValueLatest sighting

ip.v4●●●●●●●●●●●●View more in apptoday

domain●●●●●●●●●●●●View more in apptoday

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app

cyber security newsNews

Jun 10, 2026

Hackers Abuse Fake Utility Downloads to Install ScreenConnect and Mine Cryptocurrency

SRBMiner-MULTI is one of the final GPU cryptocurrency mining payloads deployed in the campaign to mine cryptocurrency on victim systems.

toms hardwareNews

May 29, 2026

Microsoft warns GPU mining malware is being spread to users through SEO poisoning and AI chatbots - cryptojacking campaign targets gamers and high-end PC users with downloads disguised as popular PC utilities | Tom's Hardware

GPU-focused cryptocurrency mining software deployed on compromised systems after reconnaissance to mine cryptocurrency while evading user detection.

xakepNews

May 29, 2026

Майнинговая малварь распространяется через рекомендации ИИ-чат-ботов - Хакер

Майнер криптовалют, использующий GPU зараженной системы для добычи криптовалюты.

help net securityNews

May 27, 2026

AI chatbot recommendations lure users to cryptojacking malware sites - Help Net Security

A cryptocurrency mining program downloaded at runtime as part of the final-stage payload.

+2 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching2

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping11

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.