SEO Poisoning Campaign
Chinese users face a new SEO poisoning attack. Fake sites mimic software downloads. For example, they rank high in searches. This tricks users into malware.
Attackers register similar domain names. They use subtle character changes. Consequently, sites seem legitimate. Victims download trojanized installers.
The campaign deploys HiddenGh0st and Winos. Both are Gh0st RAT variants. Moreover, Winos links to Silver Fox group. The activity started in August 2025.
Fake Software Lures
Searches for tools like Chrome lead to fakes. These include translators and messengers. For instance, users visit spoofed pages. This initiates downloads.
A script controls malware delivery. It fetches JSON data for links. Therefore, it redirects to installers. This hides the malicious chain.
Installers include malicious DLLs. They perform detection evasion. For example, they overload analysis tools. This slows security scans.
Persistence Methods
The malware sets up persistence. It uses registry changes or shortcuts. Additionally, it checks for antivirus software. This ensures long-term access.
The payload establishes C2 communication. It collects system data. Moreover, it monitors user activity. This enables data theft.
Plugins steal crypto wallet details. They log keystrokes and clipboard. For instance, they target Ethereum. This leads to financial losses.
kkRAT Campaign
Another campaign uses GitHub Pages. It mimics apps like DingTalk. Consequently, it delivers kkRAT and others. The GitHub account is now gone.
kkRAT installers check for sandboxes. They disable network adapters temporarily. For example, they kill antivirus processes. This bypasses protections.
kkRAT uses vulnerable drivers. It terminates specific security tools. Moreover, it creates scheduled tasks. This kills threats on login. kkRAT profiles machines and downloads plugins. It captures screens and simulates inputs. Additionally, it acts as a proxy. This routes traffic stealthily.
The RAT replaces crypto addresses. It installs remote tools. For instance, it clears browser data. This evades further detection.
Preventing These Attacks
To stop SEO malware, verify domains before downloads. Use antivirus with real-time scanning. Additionally, threat monitoring spots anomalies. Training helps recognize fakes. By staying cautious, users protect data.
Sleep well, we got you covered.
