Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: screenconnect (3 articles)Clear

Microsoft: cryptojacking campaign uses AI chatbot recommendations and SEO poisoning to push fake GPU utilities, deploys ScreenConnect persistence

Microsoft has warned of an active cryptojacking campaign that surfaces malicious download sites through AI chatbot recommendations, extending SEO poisoning beyond conventional search. Attackers impersonate legitimate system utilities - CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, PDFgear - to target users with high-performance GPUs, prioritizing mining yield per host over mass infection. Beyond mining, the operators deploy ScreenConnect for persistent remote access enabling data theft, lateral movement, or ransomware. Victims who ask LLM-based tools for software-download recommendations are served links to attacker domains on subdomains of gleeze[.]com, hosted via Dynu dynamic DNS. Microsoft says it has detected and blocked the activity.

Check
Hunt for ScreenConnect installs you did not authorize and traffic to gleeze[.]com subdomains or Dynu dynamic-DNS hosts. Flag downloads of GPU/hardware utilities from non-official domains.
Affected
Users with high-performance GPUs who download system utilities (CrystalDiskInfo, HWMonitor, FurMark, etc.) via search results or AI chatbot recommendations. Gaming, engineering, and ML workstations at highest risk.
Fix
Block gleeze[.]com and known Dynu C2 at egress. Source utilities only from official vendor sites. Educate users that AI-chatbot download links can be SEO-poisoned. Monitor GPU-utilization anomalies.

Phishing campaign hit 80+ companies by getting employees to install legitimate remote-access software disguised as a Social Security letter

Securonix tracked a phishing campaign called VENOMOUS#HELPER that has hit 80+ organizations (mostly in the US) since April 2025 by getting employees to install legitimate remote-monitoring software they think is a Social Security Administration document. The lure is a fake SSA email asking the recipient to download their statement; the link points to a compromised Mexican business website hosting a SimpleHelp installer. Once installed, the attackers gain SYSTEM-level access, then quietly install ConnectWise ScreenConnect as a backup channel. The pattern aligns with initial-access broker activity: quiet persistence, then sale or hand-off to ransomware operators.

Check
Hunt every Windows endpoint for SimpleHelp and ConnectWise ScreenConnect installs not authorized by IT. Search proxy logs for connections to gruta.com.mx since April 2025.
Affected
Windows endpoints in organizations without strict application allowlisting. 80+ confirmed victims, mostly US, across multiple sectors. Acute risk: companies whose staff regularly receive government correspondence (SSA, IRS, state tax) where 'verify and download' lures feel routine. Initial access brokers run these campaigns to sell footholds, so any compromised host becomes a potential ransomware launchpad weeks later.
Fix
Enforce application allowlisting on Windows endpoints to block unapproved RMM software. Remove unauthorized SimpleHelp, ScreenConnect, PDQ Connect, LogMeIn Resolve, N-able, or Fleetdeck installs and treat the host as compromised. Block Securonix's published indicators (gruta.com.mx, server.cubatiendaalimentos.com.mx) at the network egress layer. Rotate credentials on affected hosts.

Hackers are stealing entire truckloads of cargo by phishing freight brokers - $725 million in losses last year alone, FBI warns

The FBI issued a public service announcement Wednesday warning that cyber-enabled cargo theft has surged 60% to $725 million in losses across the US and Canada in 2025. The pattern: criminals phish freight brokers and carriers via spoofed emails, install remote-monitoring software like ScreenConnect or Pulseway, then post fraudulent listings on freight load boards under the broker's identity. Real shippers respond, hand over high-value cargo, and the load is diverted to criminal-controlled drivers. The average theft is now $273,990 - a 36% jump from 2024. Cargo theft also funds drug trafficking and money laundering, not just direct resale.

Check
If your organization ships, brokers, or carries freight, verify every shipment request through a second channel (phone call to a known number, not an email reply) before releasing cargo or accepting a new load.
Affected
US and Canadian shipping brokers, freight carriers, and shippers using online load boards. Particularly acute for mid-sized brokers with limited IT staff - they're easier to phish and have less monitoring of remote access tools. Food, beverage, and consumer goods shipments are most targeted because they're easy to resell.
Fix
Verify shipment requests through a second channel. Enforce MFA on load board accounts and email accounts. Monitor for unauthorized remote-monitoring software installs (ScreenConnect, Pulseway, SimpleHelp) on broker workstations - these are the standard attacker toolkit. Audit email for suspicious mailbox rules that auto-forward or auto-delete. File incidents with IC3 alongside police reports.