In recent reports, cybersecurity researchers from Fortinet FortiGuard Labs and Zscaler ThreatLabz have uncovered a coordinated SEO poisoning campaign targeting Chinese-speaking Windows users. Attackers registered look-alike domains mimicking popular software sites and manipulated search engine rankings via SEO plugins to push fake download pages for apps like DeepL Translate, Chrome, Signal, Telegram, WhatsApp, and WPS Office. These spoofed pages deliver trojanised installers that include RATs (Remote Access Trojans) such as HiddenGh0st (a variant of Gh0st RAT), Winos, FatalRAT, and a newer threat called kkRAT. Unlike purely fake sites, some of these malicious installers are even hosted via GitHub Pages, leveraging the platform’s credibility. The RATs are designed for stealth: evading detection (including disabling or bypassing antivirus tools), carrying out crypto-wallet hijacking via clipboard manipulation, monitoring user activity, and enabling remote control.
Sources: Hacker News, Fortinet
Key Takeaways
– Attackers are combining SEO poisoning with lookalike domains to lure users into downloading fake, malicious installers, making use of small character substitutions to mimic legitimate sites.
– Multiple Remote Access Trojans (HiddenGh0st, Winos, FatalRAT, kkRAT) are being deployed, often packaged within seemingly legitimate software installers; these RATs are capable of disabling antivirus tools, hijacking crypto wallets, logging keystrokes, monitoring screens, and maintaining persistence.
– GitHub Pages is being abused as a hosting platform for malware-laden content due to its trust status; this allows malicious actors to host phishing and trojanised content in a place many users consider safer, complicating detection and takedown efforts.
In-Depth
In the shadowy corners of the web, a sophisticated malware campaign is underway, blending technical cunning with psychological manipulation to ensnare unsuspecting users—particularly among Chinese-speaking Windows users. The modus operandi leverages SEO poisoning: attackers create fake sites that closely resemble legitimate software download pages, manipulate search results through SEO tools and plugins, and use lookalike domain names with tiny typographical tweaks. When users search for trusted apps—DeepL Translate, Chrome, Signal, etc.—they may be directed to these malicious pages instead of the real ones. The download offered appears authentic but inside lurks a remote access trojan (RAT) such as HiddenGh0st, Winos, FatalRAT, or the newer kkRAT.
What makes kkRAT especially dangerous is its blend of features: it deploys mechanisms to disable or bypass antivirus tools (some targeting popular ones like 360 Total Security), monitors clipboard content (for replacing cryptocurrency addresses), and offers remote monitoring tools and persistence. Researchers observed that even when antivirus software is present, the malware uses sophisticated evasion techniques—checking for sandbox or virtual machine environments, enforcing sleep or time-based checks, and using DLL loaders to mask actions. Perhaps most worrying is the use of GitHub Pages as a delivery vector: content hosted there inherits an aura of legitimacy, making detection harder and users more likely to trust it. The GitHub accounts used in these campaigns have often been terminated post-detection, but damage can be done in the moments before takedown.
Defensive posture must adapt: users should always double-check domain names (watch for subtle misspellings), prefer official websites or verified sources for downloads, keep antivirus definitions and systems updated, and consider using sandboxed or virtual environments for testing new software. Meanwhile, platforms like GitHub and search engines will need to bolster detection of fraudulent content and poisoned SEO to limit exposure.