The Silent Threat: How SEO Poisoning Spreads Malware

Chinese-language users became the target of a new SEO poisoning campaign that spread malware through counterfeit download sites for popular applications. Fortinet’s FortiGuard Labs reports that threat actors elevated malicious pages in Google results by abusing SEO plugins and registering domains nearly indistinguishable from the bona fide services. By making only minimal character substitutions and furnishing plausible descriptions, they tricked victims into downloading compromised installers instead of legitimate software.

Through this vector, altered variants of the Gh0st RAT family — notably HiddenGh0st and Winos (aka ValleyRAT) — were deployed. Winos is attributed to the Silver Fox cluster (also tracked as SwimSnake, Valley Thief, UTG-Q-1000, Void Arachne), active since at least 2022.

The campaign began when users searched for products such as DeepL Translate, Google Chrome, Signal, Telegram, WhatsApp and WPS Office. Rather than reaching official pages, they encountered meticulously constructed replicas that initiated downloads via trojanized installers. The installer orchestration relied on a script that resolved a multi-stage chain: an initial JSON pointed to another JSON, which in turn referenced the final download URL. Embedded inside the installer was a DLL module that performed anti-analysis checks and unpacked a second library whose purpose was to overload analysis tools, forcing them to consume resources and slow down.

That same library unpacked and executed the primary payload. Before doing so, it probed for the presence of the 360 Total Security antivirus. If the AV was present, the malware abused TypeLib COM interception to establish persistence and launch insalivation.exe. If no AV was detected, persistence was achieved via a Windows shortcut pointing to the same executable.

The final stage loaded AIDE.dll, which activated three core components: a C2 module that handled encrypted communications with remote servers and fetched additional plugins; a Heartbeat component that collected system telemetry, including running processes and checks for security software; and a Monitor that observed user activity, verified persistence, and periodically beaconed the controller.

Operator capabilities included installing plugins, capturing keystrokes and clipboard contents, and exfiltrating cryptocurrency wallets associated with Ethereum and Tether. Several plugins enabled screenshot capture and had previously been observed within the Winos toolset.

Researchers emphasize that the installers bundled both legitimate applications and malicious payloads, so victims rarely noticed the compromise. The fact that these forgeries attained top ranks in search results makes verifying domain names and download sources an indispensable security practice.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy