A cybercriminal organization known as Black Cat is believed to be involved in search engine optimization (SEO) poisoning campaigns that use fraudulent sites promoting popular software to trick users into downloading backdoors that can steal sensitive data.
According to a report published by the China National Computer Network Emergency Response Technology Team/Coordination Center (CNCERT/CC) and Beijing Weiwu Online (also known as ThreatBook), the operation is strategically designed to push fake sites to the top of search results on search engines such as Microsoft Bing, specifically targeting users looking for programs such as Google Chrome, Notepad++, QQ International, and iTools.
“Users who visit these top phishing pages are directed to carefully constructed download pages where they attempt to download software installation packages bundled with malicious programs,” CNCERT/CC and ThreatBook said. “Once installed, the program embeds a backdoor Trojan horse without the user’s knowledge, allowing the attacker to steal sensitive data from the host computer.”
Black Cat has been active since at least 2022 and is credited with orchestrating a series of attacks aimed at data theft and remote control using malware distributed through SEO poisoning campaigns. In 2023, the group allegedly impersonated AICoin, a popular cryptocurrency trading platform, and stole at least $160,000 worth of cryptocurrencies.
In the latest round of attacks, users searching for Notepad++ are provided with a link to a convincing phishing site purporting to be related to a software program (‘cn-notepadplusplus’).[.]com”). Other domains registered by Black Cat include ‘cn-obsidian’.[.]com,””cn-winscp[.]com” and “notepadplusplus[.]yeah. ”
The presence of “cn” in the domain name indicates that the attackers are specifically targeting Chinese users who may be looking for such tools via search engines.
If an unsuspecting user clicks on the “download” button on the fake website, they will be redirected to another URL that mimics GitHub (“github.zh-cns”).[.]You can download a ZIP archive from “top”). Inside the ZIP file is an installer that creates a shortcut on the user’s desktop. This shortcut acts as an entry point to sideload a malicious DLL and launch a backdoor.
The malware establishes a connection with a hard-coded remote server (‘sbido’).[.]com:2869″) to steal web browser data, log keystrokes, extract clipboard contents, and other valuable information from a compromised host.
CNCERT/CC and ThreatBook noted that the Black Cat cybercrime syndicate compromised approximately 277,800 hosts across China between July 7 and 20, 2025, bringing the highest daily number of compromised machines in the country to 62,167.
To reduce risk, users are advised not to click on links from unknown sources and to download software from trusted sources.
Source link
