Black Cat Behind SEO Poisoning Malware Campaign Targeting Popular Software Searches
Summary:
The National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT/CC) and Beijing Weibu Online (aka ThreatBook) highlighted an active search engine optimization poisoning campaign, where actors are using fraudulent websites advertising popular software to distribute malware. By manipulating search engine results, particularly Microsoft Bing, the actors will push fake download pages to the top of results for commonly searched programs such as Google Chrome, Notepad++, QQ International, and iTools. These sites closely mimic legitimate software sources and entice users into downloading installers that secretly deploy a backdoor trojan, capable of stealing sensitive information from the victim’s system, including browser data, keystrokes, and clipboard content.
Security Officer Comments:
The campaign has been attributed to Black Cat, a cybercrime group that has been active since atleast 2022. Black Cat has a track record of orchestrating data theft and remote access operations, including a 2023 campaign that resulted in the theft of $160,000 worth of cryptocurrency by impersonating AICoin, a popular virtual currency trading platform.
According to the CNCERT/CC and ThreatBook, between December 7 and 20, Black Cat compromised 277,800 hosts across China, with daily infections peaking at over 62,000 systems, highlighting the scale and effectiveness of this campaign.
One of the notable tactics employed by Black Cat in the latest campaign is the use of a GitHub-lookalike domain. Whenever users click on the download button on fake software sites, they are redirected to a page ("github.zh-cns[.]top") that closely resembles GitHub. By abusing GitHub’s reputation as a trusted developer platform, the attackers significantly lower user suspicion and increase the likelihood that victims will proceed with the download without verification. From this page, users retrieve a ZIP archive containing an installer that creates a desktop shortcut, which is later used to side-load a malicious DLL and deploy the backdoor.
Suggested Corrections:
https://thehackernews.com/2026/01/black-cat-behind-seo-poisoning-malware.html
The National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT/CC) and Beijing Weibu Online (aka ThreatBook) highlighted an active search engine optimization poisoning campaign, where actors are using fraudulent websites advertising popular software to distribute malware. By manipulating search engine results, particularly Microsoft Bing, the actors will push fake download pages to the top of results for commonly searched programs such as Google Chrome, Notepad++, QQ International, and iTools. These sites closely mimic legitimate software sources and entice users into downloading installers that secretly deploy a backdoor trojan, capable of stealing sensitive information from the victim’s system, including browser data, keystrokes, and clipboard content.
Security Officer Comments:
The campaign has been attributed to Black Cat, a cybercrime group that has been active since atleast 2022. Black Cat has a track record of orchestrating data theft and remote access operations, including a 2023 campaign that resulted in the theft of $160,000 worth of cryptocurrency by impersonating AICoin, a popular virtual currency trading platform.
According to the CNCERT/CC and ThreatBook, between December 7 and 20, Black Cat compromised 277,800 hosts across China, with daily infections peaking at over 62,000 systems, highlighting the scale and effectiveness of this campaign.
One of the notable tactics employed by Black Cat in the latest campaign is the use of a GitHub-lookalike domain. Whenever users click on the download button on fake software sites, they are redirected to a page ("github.zh-cns[.]top") that closely resembles GitHub. By abusing GitHub’s reputation as a trusted developer platform, the attackers significantly lower user suspicion and increase the likelihood that victims will proceed with the download without verification. From this page, users retrieve a ZIP archive containing an installer that creates a desktop shortcut, which is later used to side-load a malicious DLL and deploy the backdoor.
Suggested Corrections:
- It is recommended to purchase and download genuine software through the official website. If there is no official website, it is recommended to download from a trusted source. After downloading, use antivirus software to scan and verify the file HASH.
- Try not to open web links from unknown sources and do not install software from unknown sources.
- Install endpoint protection software and perform full system antivirus scans regularly.
- When it is discovered that the host is infected with a Trojan program, immediately verify the host's control status and intrusion method, and clean up the victim host.
https://thehackernews.com/2026/01/black-cat-behind-seo-poisoning-malware.html