A Digital Trojan Horse: A New Campaign Is Using SEO to Deliver Malware

Researchers at FortiGuard Labs have uncovered a sophisticated SEO poisoning campaign aimed at Chinese-speaking users. By manipulating search engine rankings and creating lookalike domains, attackers successfully lured victims into downloading malware disguised as legitimate software.

The report explains, “The attackers manipulated search rankings with SEO plugins and registered lookalike domains that closely mimicked legitimate software sites. By using convincing language and small character substitutions, they tricked victims into visiting spoofed pages and downloading malware.”

The campaign began with fraudulent domains designed to imitate trusted providers. Victims searching for popular tools like DeepL were instead directed to malicious download pages.

“The attackers set up multiple fraudulent websites designed to imitate trusted software providers. These sites distributed several malware families, most notably Hiddengh0st and variants of Winos.”

At the core of the delivery mechanism was a script named nice.js, which followed a multi-step process:

• Call a malicious download link returning JSON data.
• Retrieve a secondary link from the JSON.
• Redirect the victim to the final malicious installer.

The report highlights how convincing these spoofed packages appeared: “The installer package combines both the legitimate DeepL software and malicious components, including a DLL file (EnumW.dll), fragments of a ZIP archive (temp_data_1–55), and other unrelated files.”

Once executed, the malware used advanced evasion techniques to avoid detection.

The malicious DLL, EnumW.dll, included checks against sandbox environments. As FortiGuard observed, “If the parent process is not msiexec.exe—the expected Windows Installer process—EnumW.dll assumes it is being run in an analysis environment and immediately exits.”

Other checks included:

• Sleep integrity validation to detect time-skipping sandboxes.
• ACPI table inspection to spot virtualized environments.

After bypassing these checks, the malware reconstructed emoji.dat, unpacking further payloads including vstdlib.dll, which set up persistence mechanisms and encrypted communication with command-and-control servers.

The malware’s functionality extended far beyond simple installation. Once persistent, it could:

• Exfiltrate sensitive data through structured C2 communications.
• Capture keystrokes and clipboard data via an input logger.
• Hijack cryptocurrency wallets, with targets including Tether and Ethereum.
• Load plugins such as “DifferentScreen.bin” and “HighSpeedScreen.bin”, typically linked to the Winos malware family.

The report adds, “This analysis confirms that the campaign was an SEO poisoning attack targeting Chinese-speaking users. The threat actor exploited SEO plugins to artificially inflate the search rankings of spoofed domains.”

Related Posts:

• Phishing Campaign Delivers Winos 4.0: Keyloggers, UAC Bypass, and More
• Taiwan Under Attack: Sophisticated Phishing Campaign Delivers Winos 4.0, HoldingHands RAT, & Gh0stCringe
• Stealthy Catena Loader Delivers Winos RAT via Trojanized App Installers
• The Billion-Dollar Smishing Empire: How Chinese Syndicates Are Hacking Apple & Google Wallets