{"id":2827,"date":"2025-09-15T19:55:18","date_gmt":"2025-09-15T19:55:18","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2025\/09\/15\/seo-poisoning-targets-chinese-users-with-fake-software-sites\/"},"modified":"2025-09-15T19:55:18","modified_gmt":"2025-09-15T19:55:18","slug":"seo-poisoning-targets-chinese-users-with-fake-software-sites","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2025\/09\/15\/seo-poisoning-targets-chinese-users-with-fake-software-sites\/","title":{"rendered":"SEO Poisoning Targets Chinese Users with Fake Software Sites"},"content":{"rendered":"<div id=\"cphContent_pnlArticleBody\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"0\">\n<p>A search engine optimization (SEO) poisoning attack aimed at Chinese-speaking Microsoft Windows users has been identified by security researchers.<\/p>\n<p>The campaign, discovered by FortiGuard Labs, manipulated search results to display fraudulent websites that closely resembled legitimate software providers, luring victims into downloading malware.<\/p>\n<h2>Malware Disguised as Trusted Applications<\/h2>\n<p>Attackers registered lookalike domains and used subtle character substitutions to mislead users. Once victims landed on spoofed websites, they were prompted to install compromised versions of popular applications. These installers contained both legitimate software and hidden malware, which made\u00a0infections harder to detect.<\/p>\n<p>\u201cThese spoofed sites were boosted using SEO techniques to rank highly in search results, ensuring infection as users trust top-ranking results,\u201d\u00a0explained Mayuresh Dani, security research manager at Qualys Threat Research Unit.<\/p>\n<p>\u201cThe end result, as always, is installation of malware, in this case \u2013 Hiddengh0st and Winos malware variants by including legitimate applications to confuse security solutions.\u201d<\/p>\n<p>One of the key tools used in the campaign was a script called \u201cnice.js.\u201d This script managed a multi-step redirection chain, eventually leading users to download malicious installers.<\/p>\n<p>During analysis, researchers focused on a fake DeepL installer, which included malicious components like \u201cEnumW.dll\u201d and multiple archive fragments disguised within the setup package.<\/p>\n<p><em>Read more on malware distribution: USB Malware Campaign Spreads Cryptominer Worldwide<\/em><\/p>\n<h2>Anti-Analysis Tactics and Data Theft<\/h2>\n<p>The malware also incorporated extensive checks to avoid detection. EnumW.dll, for example, validated whether it was launched by the Windows Installer process, and performed time-based and hardware integrity tests to evade sandbox environments.<\/p>\n<p>After these checks, it reconstructed hidden files, deployed them across system directories and executed functions that triggered further infections.<\/p>\n<p>Once active, the malware established persistence in several ways, including:<\/p>\n<ul>\n<li>\n<p>Registry modifications with disguised entries<\/p>\n<\/li>\n<li>\n<p>Shortcut creation to reroute startup paths<\/p>\n<\/li>\n<li>\n<p>TypeLib hijacking through malicious XML files<\/p>\n<\/li>\n<\/ul>\n<p>The malware also adapted its behavior depending on whether it detected antivirus tools, such as 360 Total Security.<\/p>\n<p>\u201cSEO poisoning takes advantage and further enables some of the most successful malicious user attack techniques in play \u2013 phishing and smishing,\u201d\u00a0said Chad Cragle, CISO at Deepwatch.<\/p>\n<p>\u201cIt is effectively working to send end users to malware-laden sites where their systems can be compromised. This isn\u2019t new at all. SEO poisoning just lets the attackers perform these actions at scale much more easily.\u201d<\/p>\n<h2>Final Payload for Monitoring<\/h2>\n<p>The final payload included modules for continuous monitoring, system data collection and command-and-control (C2) communication. It supported tasks such as keystroke logging, clipboard monitoring, configuration updates and even cryptocurrency wallet hijacking.<\/p>\n<p>Additional plugins suggested a particular focus on intercepting Telegram activity and screen monitoring.<\/p>\n<p>FortiGuard Labs attributed the malware families used in the campaign to Hiddengh0st and Winos variants. The security experts said the stolen information could be leveraged for further attacks, making the overall threat level high.<\/p>\n<p>Dani recommended that organizations implement multilingual security awareness training, deploy DNS filtering, enforce browser security mechanisms and establish verified software download policies to reduce exposure to SEO poisoning campaigns.<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>A search engine optimization (SEO) poisoning attack aimed at Chinese-speaking Microsoft Windows users has been identified by security researchers. The campaign, discovered by FortiGuard Labs, manipulated search results to display fraudulent websites that closely resembled legitimate software providers, luring victims into downloading malware. Malware Disguised as Trusted Applications Attackers registered lookalike domains and used subtle<\/p>\n","protected":false},"author":2,"featured_media":2828,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2827","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2827-43e1355f-baba-4af6-888f-1a9ea681e588.jpg",300,300,false],"thumbnail":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2827-43e1355f-baba-4af6-888f-1a9ea681e588-150x150.jpg",150,150,true],"medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2827-43e1355f-baba-4af6-888f-1a9ea681e588.jpg",300,300,false],"medium_large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2827-43e1355f-baba-4af6-888f-1a9ea681e588.jpg",300,300,false],"large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2827-43e1355f-baba-4af6-888f-1a9ea681e588.jpg",300,300,false],"1536x1536":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2827-43e1355f-baba-4af6-888f-1a9ea681e588.jpg",300,300,false],"2048x2048":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2827-43e1355f-baba-4af6-888f-1a9ea681e588.jpg",300,300,false],"morenews-featured":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2827-43e1355f-baba-4af6-888f-1a9ea681e588.jpg",300,300,false],"morenews-large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2827-43e1355f-baba-4af6-888f-1a9ea681e588.jpg",300,300,false],"morenews-medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2827-43e1355f-baba-4af6-888f-1a9ea681e588.jpg",300,300,false],"crawlomatic_preview_image":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/09\/2827-43e1355f-baba-4af6-888f-1a9ea681e588-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"http:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"<a href=\"http:\/\/ft365.org\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/2827","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=2827"}],"version-history":[{"count":0,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/2827\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/2828"}],"wp:attachment":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=2827"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=2827"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=2827"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}