"Chinese-speaking users are the target of a search engine optimization (SEO) poisoning campaign that uses fake software sites to distribute malware. "The attackers manipulated search rankings with SEO plugins and registered lookalike domains that closely mimicked legitimate software sites," Fortinet FortiGuard Labs researcher Pei Han Liao said. "By using convincing language and small character substitutions, they tricked victims into visiting spoofed pages and downloading malware.""
""A script named nice.js controls the malware delivery process on these sites," Fortinet explained. "The script follows a multi-step chain: it first calls a download link that returns JSON data, which includes a secondary link. That secondary link then points to another JSON response containing a link that redirects to the final URL of the malicious installer.""
Chinese-speaking users are being targeted by an SEO poisoning campaign that uses fake software download sites and lookalike domains to distribute malware. Attackers manipulated search rankings with SEO plugins and subtle character substitutions to lure victims to trojanized installers for popular tools such as DeepL Translate, Google Chrome, Signal, Telegram, WhatsApp and WPS Office. A JavaScript component named nice.js orchestrates a multi-step JSON redirect chain that ultimately delivers the malicious installer. The installer embeds EnumW.dll, which performs anti-analysis checks and extracts vstdlib.dll to inflate memory usage and hinder analysis. The campaign installs HiddenGh0st and Winos/ValleyRAT, variants of Gh0st RAT. Winos is associated with the Silver Fox cybercrime group active since at least 2022. The activity was discovered in August 2025.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]