Two overlapping intelligence items (SCC-CAM-2026-0369 from Microsoft Defender Experts and SCC-CAM-2026-0354 from The Hacker News/Microsoft) describe the same active campaign targeting Windows endpoints with high-performance GPUs, deploying ScreenConnect as a persistent remote access backdoor and injecting a GPU cryptocurrency miner into Microsoft .NET LOLBins via process hollowing. The campaign uses SEO poisoning and manipulated AI chatbot responses to distribute trojanized versions of common GPU utilities. SCC-CAM-2026-0354 is noted as lower source quality (0.712) and introduces a CVE (CVE-2025-33073) that the source item itself flagged as incorrectly attributed; that CVE is excluded from this rollup.