A search engine optimization (SEO) poisoning attack aimed at Chinese-speaking Microsoft Windows users has been identified by security researchers.
The campaign, discovered by FortiGuard Labs, manipulated search results to display fraudulent websites that closely resembled legitimate software providers, luring victims into downloading malware.
Malware Disguised as Trusted Applications
Attackers registered lookalike domains and used subtle character substitutions to mislead users. Once victims landed on spoofed websites, they were prompted to install compromised versions of popular applications. These installers contained both legitimate software and hidden malware, which made infections harder to detect.
“These spoofed sites were boosted using SEO techniques to rank highly in search results, ensuring infection as users trust top-ranking results,” explained Mayuresh Dani, security research manager at Qualys Threat Research Unit.
“The end result, as always, is installation of malware, in this case – Hiddengh0st and Winos malware variants by including legitimate applications to confuse security solutions.”
One of the key tools used in the campaign was a script called “nice.js.” This script managed a multi-step redirection chain, eventually leading users to download malicious installers.
During analysis, researchers focused on a fake DeepL installer, which included malicious components like “EnumW.dll” and multiple archive fragments disguised within the setup package.
Read more on malware distribution: USB Malware Campaign Spreads Cryptominer Worldwide
Anti-Analysis Tactics and Data Theft
The malware also incorporated extensive checks to avoid detection. EnumW.dll, for example, validated whether it was launched by the Windows Installer process, and performed time-based and hardware integrity tests to evade sandbox environments.
After these checks, it reconstructed hidden files, deployed them across system directories and executed functions that triggered further infections.
Once active, the malware established persistence in several ways, including:
-
Registry modifications with disguised entries
-
Shortcut creation to reroute startup paths
-
TypeLib hijacking through malicious XML files
The malware also adapted its behavior depending on whether it detected antivirus tools, such as 360 Total Security.
“SEO poisoning takes advantage and further enables some of the most successful malicious user attack techniques in play – phishing and smishing,” said Chad Cragle, CISO at Deepwatch.
“It is effectively working to send end users to malware-laden sites where their systems can be compromised. This isn’t new at all. SEO poisoning just lets the attackers perform these actions at scale much more easily.”
Final Payload for Monitoring
The final payload included modules for continuous monitoring, system data collection and command-and-control (C2) communication. It supported tasks such as keystroke logging, clipboard monitoring, configuration updates and even cryptocurrency wallet hijacking.
Additional plugins suggested a particular focus on intercepting Telegram activity and screen monitoring.
FortiGuard Labs attributed the malware families used in the campaign to Hiddengh0st and Winos variants. The security experts said the stolen information could be leveraged for further attacks, making the overall threat level high.
Dani recommended that organizations implement multilingual security awareness training, deploy DNS filtering, enforce browser security mechanisms and establish verified software download policies to reduce exposure to SEO poisoning campaigns.
