Rise of SEO Poisoning – Malicious Websites Target Windows Users With Weaponized Software Downloads

In August 2025, security researchers at FortiGuard Labs uncovered a large-scale SEO poisoning campaign aimed primarily at Chinese-speaking users.

The campaign leveraged manipulated search engine rankings, fraudulent domains, and spoofed software sites to deliver powerful malware families, including Hiddengh0st and modified variants of Winos.

Attackers carefully crafted lookalike domains and used minor character substitutions, accompanied by convincing language, to make the fake portals appear indistinguishable from legitimate software vendors.

A Multi-Step Attack Chain

The attack infrastructure relied heavily on malicious JavaScript linked through a file named nice.js. This script initiated a layered download mechanism, starting with JSON responses containing chained URLs, which eventually redirected victims to the final malicious installer.

One notable case involved a counterfeit DeepL translation software installer, which packaged both the legitimate application and embedded malware.

Upon execution, the installer elevated privileges and dropped multiple files, including the malicious EnumW.dll. This DLL triggered a sophisticated infection process, conducting anti-analysis checks to evade sandboxes and virtualized environments.

For instance, it validated whether its parent process was msiexec.exe, performed sleep integrity checks against time skipping, and queried ACPI firmware tables to detect virtualization.

If these checks were satisfied, EnumW.dll reconstructed a malicious archive (emoji.dat) that contained further files used to escalate the attack.

Next, the malware deployed 749ju.exe to side-load vstdlib.dll. This DLL established persistence through multiple techniques, including registry modifications, TypeLib hijacking, and the creation of malicious startup shortcuts.

To evade detection, it deployed countermeasures such as excessive memory allocations if security software like 360 Total Security was present, effectively stalling analysis tools.

Data Theft and C2 Control

The payload contained modules for persistence, monitoring, and command-and-control (C2) communication. The Heartbeat module extracted system details, user credentials, and the presence of antivirus software while generating mutexes to ensure only one active instance.

The Monitor module gathered environment information, foreground window data, and checked whether persistence mechanisms were intact.

Encrypted data packets were transmitted to attacker-controlled C2 servers using AES encryption keys generated from system timestamps.

Supported C2 commands ranged from executing arbitrary plugins, updating configurations, reconnecting to C2 infrastructure, to hijacking cryptocurrency wallets targeting Ethereum and Tether in particular.

Further capabilities included keystroke logging, clipboard monitoring, and poisoning Telegram-related services with specialized plugins such as DifferentScreen.bin and HighSpeedScreen.bin.

Evidence suggests the malware was a customized Winos variant, tailored for long-term persistence and active monitoring of infected systems.

Protection and Mitigation

Fortinet confirmed detections of the campaign under signatures such as W64/Agent.D31A!tr and W64/Agent.GOU!tr. Researchers warn users to verify domain authenticity carefully, even when downloading from high-ranking search results.

Organizations are advised to update signature protections, deploy network-level DNS filtering against known malicious domains, and enforce strict application whitelisting policies.

This campaign underscores the growing trend of SEO poisoning as a primary malware delivery mechanism. By embedding threats in legitimate-looking installers, attackers are increasingly bypassing traditional user scrutiny, making advanced threat detection solutions critical for defense.

IOCs

Domain

deepl-fanyi[.]com
aisizhushou[.]com
telegramni[.]com
wps1[.]com
wws[.]c4p11[.]shop
bucket00716[.]s3[.]ap-southeast-2[.]amazonaws[.]com
znrce3z[.]oss-ap-southeast-1[.]aliyuncs[.]com
xiazai1[.]aisizhushou[.]io
xiazai2[.]aisizhushou[.]io

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Rise of SEO Poisoning – Malicious Websites Target Windows Users With Weaponized Software Downloads appeared first on Cyber Security News.