Chinese-speaking users are the target of a search engine optimization (SEO) poisoning campaign that uses fake software sites to distribute malware.
“The attackers manipulated search rankings with SEO plugins and registered lookalike domains that closely mimicked legitimate software sites,” Fortinet FortiGuard Labs researcher Pei Han Liao said. “By using convincing language and small character substitutions, they tricked victims into visiting spoofed pages and downloading malware.”
The activity, which was discovered by the cybersecurity company in August 2025, leads to the deployment of malware families like HiddenGh0st and Winos (aka ValleyRAT), both of which are variants of a remote access trojan called Gh0st RAT.
It’s worth noting that the use of Winos has been attributed to a cybercrime group known as Silver Fox, which is also tracked as SwimSnake, The Great Thief of Valley (or Valley Thief), UTG-Q-1000, and Void Arachne. It’s believed to be active at least since 2022.
In the latest attack chain documented by Fortinet, users searching for tools like DeepL Translate, Google Chrome, Signal, Telegram, WhatsApp, and WPS Office on Google are redirected to bogus sites to trigger the delivery of the malware using trojanized installers.
“A script named nice.js controls the malware delivery process on these sites,” Fortinet explained. “The script follows a multi-step chain: it first calls a download link that returns JSON data, which includes a secondary link. That secondary link then points to another JSON response containing a link that redirects to the final URL of the malicious installer.”
Present within the installer is a malicious DLL (“EnumW.dll”) that carries out several anti-analysis checks to sidestep detection, including extracting another DLL (“vstdlib.dll”) to overwhelm analysis tools by inflating memory usage and slowing their performance.
The second DLL is also engineered to unpack and launch the main payload, but not before ascertaining the presence of 360 Total Security antivirus software on the compromised host. If present, the malware uses a technique called TypeLib COM hijacking to set up persistence and ultimately launch a Windows executable (“insalivation.exe”)
In the event the antivirus software is not installed on the host, persistence is achieved by creating a Windows shortcut that points to the same executable. The end goal of the infection is to sideload a DLL (“AIDE.dll”) that initiates three core functions –
- Command-and-Control (C2), to establish communication with a remote server and exchange data in an encrypted format
- Heartbeat, to collect system and victim data and enumerate running processes against a hard-coded list of security products
- Monitor, to evaluate the victim’s environment to confirm persistence, track user activity, and beacon to the C2 server
The C2 module also supports commands to download additional plugins, log keystrokes and clipboard data, and even hijack cryptocurrency wallets associated…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
