Microsoft: cryptominer via SEO/AI — EDR/XDR and NIS 2 in action

Excerpt. On 27 May 2026, Microsoft exposed an active cryptomining campaign spread via SEO poisoning and AI recommendations, with public IoCs (e.g., gleeze[.]com). Here is how an EDR/XDR stack detects, contains, and reports in line with NIS 2 and, for DORA entities, Article 10.

What happened

On 27 May 2026, Microsoft warned about a cryptojacking campaign targeting high‑GPU workstations, propagated through booby‑trapped download pages and, in some cases, through AI assistant answers pointing to attacker‑controlled domains. The analysis, covered by BleepingComputer, details a multi‑stage chain: a ZIP archive bundling a legitimate executable (e.g., CrystalDiskInfo/HWMonitor) with a malicious DLL, installation of ScreenConnect for persistence, dropping SimpleRunPE.exe renamed to RuntimeHost.exe, process hollowing into Microsoft‑signed .NET binaries (InstallUtil.exe, RegAsm.exe, RegSvcs.exe, MSBuild.exe, AppLaunch.exe, AddInProcess.exe, aspnet_compiler.exe), Defender tampering via PowerShell exclusions, then downloading a miner (gminer, lolMiner, or SRBMiner‑MULTI) to maximize GPU yield per compromised host. A key IoC is a subdomain hosted on gleeze[.]com serving malicious ZIP archives.

Sources: BleepingComputer, 27/05/2026 summarizing Microsoft’s analysis, with IoC gleeze[.]com and detailed TTPs. See also the Microsoft article referenced by BleepingComputer. (source)

Public IoCs (useful extracts for your filters)

• Domains: gleeze[.]com (malicious download subdomains, per Microsoft via BleepingComputer)
• Files/Artifacts: SimpleRunPE.exe (copied as RuntimeHost.exe), vcredist_x64.dll installed via msiexec.exe, executable masquerading as vlc.exe
• Abused legitimate tools: InstallUtil.exe, RegAsm.exe, RegSvcs.exe, MSBuild.exe, AppLaunch.exe, AddInProcess.exe, aspnet_compiler.exe
• Miners: gminer, lolMiner, SRBMiner‑MULTI

Ref.: BleepingComputer.

The applicable legal framework

• NIS 2, Article 21 — cybersecurity risk management measures, including incident detection, logging and continuous monitoring, and access control policies. In Luxembourg, entities fall under the 5 May 2026 law (ILR). ILR centralizes NIS 2 Luxembourg information and the SERIMA portal for notifications. For a local operational view, see NIS 2 in Luxembourg. Refs: ILR — NISS/NIS 2; legal text: NIS 2 — Article 21.
• DORA (EU 2022/2554) — for financial entities:
  • Article 9 (Protection & prevention): hardening technical controls, automated isolation mechanisms.
  • Article 10 (Detection): multilayer mechanisms, alert thresholds, and response process triggers. Official text: EUR‑Lex DORA.
  • CSSF 25/893 — Luxembourg modalities for reporting major ICT incidents and significant cyber threats via eDesk. Refs: CSSF 25/893 and CSSF — ICT & cyber risk (DORA).

The technical solution to deploy: EDR/XDR to detect and evidence

Objective. Rapidly detect the above TTPs, contain execution, and document audited evidence (logs, telemetry) required by NIS 2/DORA.

How it works. An EDR/XDR stack collects endpoint/network/identity telemetry and triggers behavioral rules:

• Process hollowing of a Microsoft‑signed binary by SimpleRunPE.exe → detect via parent/child anomalies, memory injection, and unusual execution of InstallUtil.exe/RegAsm.exe.
• Living‑off‑the‑land with msiexec.exe installing ScreenConnect → correlate EDR (process) + NDR (egress to vendor domains/ASNs) + block unapproved installs.
• Abnormal persistence (multiple autostart footholds) → rules on Run keys creation, Task Scheduler, services.
• Defender tampering (PowerShell exclusions) → alert on Set-MpPreference events.
• GPU mining (gminer/lolMiner/SRBMiner) → detect via process fingerprints + anomalous GPU spikes outside approved compute windows.
• IOC matching → block/resolve DNS and HTTP(S) to gleeze[.]com and related domains; sandbox suspicious ZIP archives.

Frameworks. ISO/IEC 27001 A.8.16 (monitoring), A.8.23 (malware protection); NIST CSF 2.0 ID/PR/DE/RS; CIS Controls v8: 8, 10, 13.

How Luxgap delivers this

• Our 24/7 managed SOC. We integrate your existing EDR/XDR (or deploy one), ingest feeds, push campaign‑specific rules (hollowing into signed .NET binaries, ScreenConnect install, Defender tampering), enrich with public IoCs and our TI, then run the detect–enrich–contain triad (MITRE T1055, T1218, T1562). Escalations in <15 minutes with containment playbooks. Explore our managed SOC capability.
• Our ISO 27001 governance. Lead Implementers design the “controls → evidence” matrix for NIS 2 Art. 21 and DORA Arts. 9/10: log retention, alert criteria, test scenarios, and mapping to internal policies.
• Our threat intelligence/dark web monitoring. We track campaigns & IoCs (domain, hash, IP) across 12+ open/closed sources and publish turnkey detection updates into your tools.

Real‑world case in Luxembourg or the EU

A Luxembourg‑based financial services firm (DORA‑scoped) raised alerts for abnormal InstallUtil.exe execution on 3 R&D workstations. Our SOC correlated msiexec.exe installing ScreenConnect and outbound connections to a gleeze[.]com subdomain. Within 30 minutes: host network isolation, persistence removal, DNS block of the domain, and RMM client removal. Within 24 hours: classification and eDesk pre‑report (DORA/CSSF 25/893) prepared with EDR telemetry and a consolidated timeline, then final report enriched with indicators and corrective actions.

First concrete steps

1. Block IoCs now. Add gleeze[.]com and related domains to DNS/proxy blocks; create EDR rules to detect InstallUtil.exe/RegAsm.exe/RegSvcs.exe/MSBuild.exe launched by unsigned or unknown binaries.
2. Control RMM tools. Inventory and allow‑list approved RMMs; alert on any unapproved ScreenConnect installation via msiexec.exe.
3. Monitor Defender/AV. Alert on any exclusion changes (Set-MpPreference) and restrict them to admins.
4. Harden downloads. Reputation‑filter ZIP archives from search engines; provide a vetted internal portal for utilities (verified hash/publisher).
5. Frame compliance. Update your detection policy (DORA Art. 10/NIS 2 Art. 21), define alert thresholds, and prepare notification templates (SERIMA ILR / CSSF eDesk). Luxembourg actors can leverage our dedicated page DORA Luxembourg for contacts and key milestones.

Official sources

• Facts & IoCs: BleepingComputer — GPU mining malware spreads via SEO poisoning, AI chatbots (27/05/2026).
• NIS 2 — legal framework: ILR (Luxembourg) — NISS/NIS 2 and SERIMA; NIS 2 — Article 21.
• DORA — legal framework: EUR‑Lex — Regulation (EU) 2022/2554 (DORA); CSSF — Circular 25/893; CSSF — ICT & cyber risk (DORA).

Contact us to activate dedicated EDR/XDR rules and align with NIS 2/DORA obligations.