Threat actors are targeting systems with high-performance computers in an ongoing cryptojacking campaign spread through a coordinated SEO poisoning operation that also manipulated AI chatbot recommendations.

The compromise occurs through malicious download pages for utility software typically installed by owners of powerful systems, like CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, and PDFgear.

Once a system is infected, the attacker gets persistent access on the machine by deploying the legitimate remote management ScreenConnect tool, which could later be used to install additional malware.